Greg Donald wrote: > On Wed, 8 Dec 2004 08:42:50 -0500, Joshua Beall <jbeall@xxxxxxxxxxx> > wrote: >> Can you also provide a link to the relevant message in the mailing list >> archive? I would like to read this myself. > > http://seclists.org/lists/security-basics/2004/Dec/0080.html Everything described herein falls under his second category of flaw, which, loosely translated, is "Bad Programming" Nowhere does he address the first category of flaw of an inherent flaw in PHP file uploads, which *HAS* been seen before, but was patched by the PHP Developers within hours of discovery. Some minor nit-picking and more advice: I personally think that if you can't upload your images outside your web tree then, in fact, your server admin is at fault for not providing you a directory structure that allows that. Good security requires cooperation from both admin and Programmer. If your webhost does not provide you with a directory outside your web tree, switch hosts *NOW*. I can personally recommend http://hostbaby.com, but there are a few million more providers who will do this right for you. Also, you *SHOULD* force the file to be saved on your server with the correct extension. If a user can upload a JPEG with .php on the end, or worse, with php in the middle of the filename, and then your server puts that file in the web tree or otherwise allows it to be executed, *YOU* (and your server admin) screwed up your security, not PHP. And, yes, you *SHOULD* use http://php.net/getimagesize to at least be sure the beginning portion of the file is an image. That function won't guarantee that the image didn't have PHP tacked embedded in the image file, but at least you'll weed out people trying to upload files that can't even pretend to be an image file. Under *NO* circumstances should a file uploaded by an untrusted user be put into your web tree. You should *KEEP* it outside the web tree, and use PHP to http://php.net/readfile it when it needs to be displayed. Since you are using PHP's readfile function to *READ* the file, Apache won't have any chance to get fooled into thinking it's supposed to be a PHP file and be parsed by PHP. All of this is up to a cooperative effort on the part of the sysadmin and the programmer of a site: The PHP Development Team can only do so much to keep you from doing something dangerous, just as Detroit can only do so much to keep you from driving unsafely. There are *WAY* too many sites out there that do this wrong, because Programmers can't be bothered learning their craft and understanding Security issues. My opinion on such programmers is unprintable. :-) This is not rocket science, folks. Somebody you don't trust shouldn't be allowed to dump crap into your web space willy-nilly. That's a "Duh" if you ask me. Granted, how to make it hard for them to do that is not all that simple, but the basic idea is quite plain, and having enough sense to FIND OUT how to make it hard is a no-brainer. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
