Security Basics mailing list archives
Re: PHP Security Risk?
From: Simon <simon () xhz ca>
Date: Thu, 02 Dec 2004 15:35:36 -0500
It all depends on how you handle the file after it has been uploaded. Is it sent in a public directory, accessible from the web?
Take the following very simple example:I have a very malicious PHP script that gets all the information I need to crack your machine.
I upload it through the upload script you have. I execute the file because it is now on your server and is public.The upload in itself is not a problem. It's what you do with the uploaded data that may cause trouble. Remember to never ever trust what can be input from public users (even private users), variables, get/post, files...
HTH, Simon Stephane Auger wrote:
Hi guys, I don't know if this is the right mailing list to ask this, if not don't hesitate to warn me. I'm using a Windows Server 2003 with IIS6 and PHP5. Fully patched, by the way. Someone asked me to enable the file-upload function in PHP so people could upload files to his web site, which is one of many I host. Does anyone know if file uploading in PHP could cause a security risk on the server? I know there used to be many flaws in the old versions, but I don't know about now... I haven't seen anything recent about this. Thanks for your help! Stephane Auger
Current thread:
- PHP Security Risk? Stephane Auger (Dec 02)
- Re: PHP Security Risk? John GALLET (Dec 03)
- Re: PHP Security Risk? Greg Donald (Dec 03)
- Re: PHP Security Risk? q q (Dec 06)
- Re: PHP Security Risk? Daniel Rubio (Dec 09)
- Re: PHP Security Risk? John GALLET (Dec 07)
- Re: PHP Security Risk? Greg Donald (Dec 03)
- Re: PHP Security Risk? John GALLET (Dec 03)
- Re: PHP Security Risk? Simon (Dec 03)
- RE: PHP Security Risk? AndrewC (Dec 03)
- Re: PHP Security Risk? Andrew Smith (Dec 03)