Home page logo

basics logo Security Basics mailing list archives

Re: PHP Security Risk?
From: John GALLET <john.gallet () wanadoo fr>
Date: Fri, 3 Dec 2004 15:48:32 +0100 (CET)

Hi there,

  I don't know if this is the right mailing list to ask this, if not
don't hesitate to warn me. 
May be web-apps security would have been better, but if the moderator(s) 
accepted your post, then it is in topic.

I'm using a Windows Server 2003 with IIS6
and PHP5.  Fully patched, by the way.  Someone asked me to enable the
file-upload function in PHP so people could upload files to his web
site, which is one of many I host.  Does anyone know if file uploading
in PHP could cause a security risk on the server?

There are two kinds of flaws :
- flaws inherent to the php langage itself, as seen before, in file 
- danger in uploading files at all on the server, not dependent on the 
langage used to handle the actual upload, but regarding the potential 
execution of uploaded files. 

For example, take a valid jpg file, add at the end some PHP scripts, and
upload it with a .php extension. Call it directly from the URL. The
begininng will be ignored, but the php script will be executed. So
checking the supposed file type (declared in its header) is no use if done
alone. You can then check the file extension, and allow only .jpg and .gif
files.  Again, if your web server is badly configured and, for example (I
saw this actually) associates PHP with any file *containing* the "php"
string in its name, such as "foophpbar.jpg", the script will also be

So you must, in all applications uploading files:
- store it OUTSIDE of the html docroot so it will never be called from the 
outside world (rarely possible, but if you can, go for it).
- check the name of the file versus the way the web server launches php 
(or asp r perl or any dynamic web langage installed on the machine)
- check the type of the file by looking at its content (not very useful, 
but better than nothing.

The real danger is that this security part is left te be handled by the 
*programmer* not the sysadmin.



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]