• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 428
  • Last Modified:

multiple file upload tool

ive created a multiple file upload tool using PHP.  Its in testing stages at the moment, but im just wanting to know what should i look out for just incase ive missed anything.

below is a list of what ive covered already:

set MAX_FILE_SIZE
check if size of file is not greater than MAX_FILE_SIZE
check if size of file is not zero e.g no file selected
check file mime type
check if getimagesize() return true of false
check if move_uploaded_file() returns true or false

im wanting to make my file upload tool bullet proof and looking for some suggestions to achieve this for an upload tool.

is there any other things i should look out for etc etc...

i will no be posting my code as ive put alot of work into coding this script and i dont want somebody coming alot taking it and saying "hey look what i created".

my script supports multiple file uploads and supports GIF, PNG, JPG file types

also look at what about this vulnerability?

telnet example.com 80
POST /your_form.php HTTP/1.1
Host: example.com
Content-type: image/gif

INSERT FAVORITE TROJAN WORM HERE

how do i overcome this?

thank you
0
ellandrd
Asked:
ellandrd
2 Solutions
 
jgsemoCommented:
I would check if file already exists other than that, It looks good.
0
 
ellandrdAuthor Commented:
vulnerability?
0
 
KostaCommented:
When dealing with uploads, the script execution time limitation is taking place. Usually it is 30 secs. It can be increased within the script unless in safe mode.

About the vulnerability, I am not a security specialist, but I think, if you will check the file extension, and it is one of the image types, what can the worm do, being inside some .JPG file?
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
ellandrdAuthor Commented:
I am not a security specialist either so i dont know... sorry im not been cheeky
0
 
mc1arkeCommented:
The script concept is looking good.

The only thing you can really do to stop the POST method you mentioned is to use some sort of user log-in system, or add a form field with an md5 stamp of the time and a special string (which you can get the system to generate randomly or according to certain factors), and check this md5 matches the expected input in the uploading page. If you need any help then just post a query, I would be happy to guide you further
0
 
ellandrdAuthor Commented:
>>If you need any help then just post a query, I would be happy to guide you further

yes please as i dont understand what you mean?
0
 
basicinstinctCommented:
Ragarding the Trojan issue - if you are accepting files from untrusted sources you have to treat them as dangerous.  It doesn't matter if someone does send you a trojan - just don't execute any files until they have been scanned for viruses.  So, grab the file, quarantine it, virus scan it, use it.  

Of course, the only way to be 100% safe is to disconnect your network card.
0
 
dr_dedoCommented:
i guess it is important that you check mime of uploaded files and reject all but those you trust, e.g. jpg. also ignore php,pl files, it would be so silly to find a user uploading a php file and execute it on your server :)
in the form that does file sumission, use CAPTCHA for preventing bots and malecious users
also, i guess it would be better if you check IP from which you get these files and block it temporaly or perminantly if it flods you, say a user can't upload 10 files per hour, per day, or whatever suites you
also, you can prevent direct access to your uploaded fiels, i mean from the browser using some apache mods, e.g rewrite, exactly the way you would prevent images hot linking.
also, loggin what each user uploades would keep track of whose stuff are these... log everything you can
sorry for being a bit paranoid, but better safe than sorry, right ?
0
 
dutchclanCommented:
last maybe but not least. If you move uploaded files do check the chmod setting (rights on the file) or just set em right by default...

note:  that reading an image to a var (fopen fread fclose) and then streaming source after setting the header like header('content-type:image/"type"'); will remove the need of the "execution" right on the file. Thus preventing people from executing it if you set the chmod by default. Now they can upload any trojan just resulting in an "X" not able to display jpeg.

Just dont accept the media files from windows media player wich allow additional code to execute.

-Good luck

Regards Chris.
0
 
dutchclanCommented:
note:  that reading an image to a var (fopen fread fclose) and then streaming source after setting the header like header('content-type:image/"type"'); will remove the need of the "execution" right on the file. Thus preventing people from executing it if you set the chmod by default. Now they can upload any trojan just resulting in an "X" not able to display jpeg.

$fp = fopen("path/to/file.jpg", "r");
$source = fread($fp, filesize("path/to/file.jpg") );
fclose($fp);

header('content-type:image/jpeg');
echo "$source";

<< This would only need read rights on a file and is quite save next to all the other validations you are performing ;)
0
 
ellandrdAuthor Commented:
dr_dedo

>>CAPTCHA - excellant idea!
>>block if user is trying to flood me - another excellant idea!

dutchclan

>>preventing people from executing it if you set the chmod by default - excellant idea again!

cheers guys!
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now