stackoom
  简体   繁体   中英

security risks if someone uploads a php file instead of an image

 原文  2012-08-20 22:33:57       php/ security/ image-uploading

Question

Suppose that our web-hosting is linux and php is installed: 1- What could be the worst that happens when a php code can be uploaded instead of an image.

2- Can the intruder somehow retrieve my database password ? suppose that the directory on which images get stored has 777 file permissions.

3- What if when the image directory has 644 permission?

The answer to my question can be combined with the ones given to these two: Security: How to validate image file uploads? and Security issues in accepting image uploads

2 answers

solution1
 3 ACCPTED  2012-08-20 22:40:00

What could be the worst that happens when a php code can be uploaded instead of an image.

Worst case: Intruder can execute arbitrary PHP code, maybe even arbitrary code on the server. If the attacker is clever enough while the sysadmins aren't, he might even own the whole server/subnet/network/...

Can the intruder somehow retrieve my database password ? suppose that the directory on which images get stored has 777 file permissions.

If the attacker can execute PHP code (which of course depends on your security measures), he can definitely read files from the current user, so the answer is most probably yes.

What if when the image directory has 644 permission?

Unless you use PHP in CGI mode, the execute bit shouldn't be necessary for the webserver to execute a script, so that alone doesn't help.

Of course those are not the questions you should ask. The question you should ask is how to prevent an attacker from uploading an executable PHP file in the first place. My answer to that is that you should check the file extension against a white list and drop everything else, for example: 

$pattern = "/\.(jpe?g|gif|png)$/iD";
if (!preg_match($pattern, $filename))
    die("Please don't.");

solution2
 2  2012-08-20 22:39:21

You should make sure you don't allow parsing of php files in your image directory, since I'm assuming it's going to be open to the public.

You could do this in the /images/.htaccess file with 

RemoveHandler .php .phtml .php3
RemoveType .php .phtml .php3

That way if they try to go to domain.com/images/hackdatabase.php it'll just return their code and not the file.

But you should check to make sure its' an image in the first place.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Including a PHP File: cURL, Pathing, and Security Risks php security issue - file uploads PHP filter and security risks PHP Security Risks - Pass image into GET and output it as result Security: How to validate image file uploads? Allowing large file uploads in PHP (security) PHP multiple file upload uploads same image 5 times instead of all files How to avoid UNLINK security risks in PHP? What are the security risks of using PHP magic constants? PHP | Security for allowing user uploads
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM