Security Basics mailing list archives
Re: PHP Security Risk?
From: John GALLET <john.gallet () wanadoo fr>
Date: Fri, 3 Dec 2004 15:48:32 +0100 (CET)
Hi there,
I don't know if this is the right mailing list to ask this, if not don't hesitate to warn me.
May be web-apps security would have been better, but if the moderator(s) accepted your post, then it is in topic.
I'm using a Windows Server 2003 with IIS6 and PHP5. Fully patched, by the way. Someone asked me to enable the file-upload function in PHP so people could upload files to his web site, which is one of many I host. Does anyone know if file uploading in PHP could cause a security risk on the server?
There are two kinds of flaws : - flaws inherent to the php langage itself, as seen before, in file uploads. - danger in uploading files at all on the server, not dependent on the langage used to handle the actual upload, but regarding the potential execution of uploaded files. For example, take a valid jpg file, add at the end some PHP scripts, and upload it with a .php extension. Call it directly from the URL. The begininng will be ignored, but the php script will be executed. So checking the supposed file type (declared in its header) is no use if done alone. You can then check the file extension, and allow only .jpg and .gif files. Again, if your web server is badly configured and, for example (I saw this actually) associates PHP with any file *containing* the "php" string in its name, such as "foophpbar.jpg", the script will also be executed. So you must, in all applications uploading files: - store it OUTSIDE of the html docroot so it will never be called from the outside world (rarely possible, but if you can, go for it). - check the name of the file versus the way the web server launches php (or asp r perl or any dynamic web langage installed on the machine) - check the type of the file by looking at its content (not very useful, but better than nothing. The real danger is that this security part is left te be handled by the *programmer* not the sysadmin. HTH John GALLET
Current thread:
- PHP Security Risk? Stephane Auger (Dec 02)
- Re: PHP Security Risk? John GALLET (Dec 03)
- Re: PHP Security Risk? Greg Donald (Dec 03)
- Re: PHP Security Risk? q q (Dec 06)
- Re: PHP Security Risk? Daniel Rubio (Dec 09)
- Re: PHP Security Risk? John GALLET (Dec 07)
- Re: PHP Security Risk? Greg Donald (Dec 03)
- Re: PHP Security Risk? John GALLET (Dec 03)
- Re: PHP Security Risk? Simon (Dec 03)
- RE: PHP Security Risk? AndrewC (Dec 03)
- Re: PHP Security Risk? Andrew Smith (Dec 03)