Re: File Upload Security and chmod

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, September 25, 2006 3:58 pm, Andy Hultgren wrote:
> So I tried to implement the example code given in the php tmpfile()
> documentation and it wouldn't do anything, which suggests that I don't
> have
> access to the /tmp directory.  Also, the FAQ's section on my server's
> website say that /tmp is not shared between the servers.  So, looks
> like
> /tmp option is out...

Did they perhaps give you your own "tmp" directory elsewhere?...

Sometimes you just need to poke at it to figure out where your "tmp"
is, and then you can use the PHP functions that let you specify your
own directory, but not the ones that assume that system /tmp is your
"tmp"

My host has a "tmp" dir I can use, but it ain't /tmp, and PHP
routinely tries to use /tmp with some functions.  Grrrr.

> So, let me see if I understand the situation I'm looking at here:
>
> The bad side:
> -- I don't have any place to put uploaded files outside of my webtree,
> which
> makes it tough to ensure these files cannot be surfed to once they are
> uploaded, and also means I have to do my security checks while the
> files are
> within my webtree and potentially accessible.  (BAD).

Yes.

Though if file uploads are working at all, looking at the $_FILES
array may give you a clue as to a directory that you maybe *can*
access which is your own private "tmp"...

> -- Any php script on my server (created by me or somehow maliciously
> uploaded) can do whatever it wants within my account because all php
> scripts run as me.  (also BAD).

On the plus side, some of the coding gets real simple, since you are
you, and you are never somebody else. :-)

> The good side:
> -- Uploaded files can be chmod so that nobody can read them, then I
> chmod
> them when I need to use them.  This adds a layer of protection for
> completely uploaded files.  I assume this will not help with files
> while
> they are getting their security checks, since PHP has to be able to
> read and
> execute them in order to run the checks (get_image_size, etc.)?

PHP needs to read them for get_image_size, but not execute.

Use minimum force needed.

If you are flipping the chmod around within your scripts, that reduces
your risk to however long the dir remains in its 0777 (or whatever)
state, which is however long your script takes to process whatever it
has to process in that state.

So long exhaustive checks of the validity of a file are "bad" because
that leaves that window open longer, but they're "good" because the
file is then more likely to be kosher.

> -- Since I'm only allowing image uploads, I can strictly filter which
> files
> are allowed to be uploaded (with extension checks and get_image_size).

Extension check is kinda useless...

I can name any file I want with .jpg and upload it.

get_image_size() is good, as it checks the first N bytes -- But
somebody somewhere can construct a worm with the first N bytes that
LOOK like a valid image, to get_image_size()

A human eyeball check would be even better, as then you *know* that a
much larger number of bytes are a valid image.

It could still be "image+worm" with the worm tacked on at the end, and
a valid image at the front, which the browser would probably just go
ahead and display as valid image. :-(

The odds of somebody able to construct a valid-looking image whose
exact byte sequence is also a worm are pretty low, but not
impossible... :-)

> (Plus
> all the stuff talked about in the PHP Security Guide provided by the
> PHP
> Security Consortium for html POSTs, MySQL stuff, cookies, etc. Well,
> all of
> it that I can implement without having access to a directory outside
> of my
> webtree anyway).

Be careful.

It's entirely possible that *some* of the advice would put you at
higher risk with your setup, if their assumption is the "nobody" user
and a directory outside web-tree.

So just because you *CAN* implement your advice in your situation,
won't mean you should.

You're going to have to examine every little thing on a case-by-case
basis with your Security Hat on firmly -- Which means thinking "If I
was Evil, how would I break this?"

> So, given this situation (if I've got it right), I have two questions:
>
> 1) With the above "as is", am I just asking for anyone to come in and
> tear
> my site apart?  I am not an experienced web developer (obviously), but
> I
> love to read.  Is that enough to build a secure site, or am I just way
> in
> over my head?

There's no such thing as "a secure site"...

A secure site is not an off/on switch.  It's more a gradient from
horrible to very strong.

And the act of building a Secure site is not even just a question of
following all the "rules" in http://phpsec.org and so on.

It's a thought process, a living breathing intelligent human actually
*thinking* about what they are doing, and what the Risks are, and what
the Benefits are, and trying to consider every possible angle of every
decision.

Are you building an e-commerce site, right out of the gate, on a
server configured like this?  Bad Idea.

Are you building just a photo upload site?  Probably with a lot of
thought and reading and even more thinking, you can do fine.

You're just going to have to substitute thinking with your own brain
for following the standard advice. :-)

It's certainly going to be better for you in the long run, if nothing
else, as you'll actually THINK more about this stuff than just
following instructions.

> 2) Imaging that I can convince my host to rebuild my site so that I
> have
> access to directories outside of my webtree and can check and save
> uploaded
> files there, does that make the situation substantially better?  Or is
> the
> "PHP running as me" thing enough alone to raise some serious serious
> problems (perhaps less around the image uploading but more around a
> login
> page or something)?

In some ways, having the server running as you is "better" for
security, as any files that you do *NOT* want other users on the same
server to see, you can more easily chmod them to be 0600 or 0400 or
whatever, so only YOU can do anything with them.

So when you read advice to use 0777 you can immediately change that to
0700, because the only access needed is for you, not your group, and
not the "world" of other users on that machine.

The downside is that if somebody does manage to inject any PHP code
(or any other executable code) their injection will be far more
powerful, as it runs as you, a powerful user, and not "nobody" a
powerless users.

So you'll want to be even more careful than usual with the file
uploads to be sure they do not contain any harmful executable
script/code.

-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux