Security title for file upload in PHP programs on dynamic web pages

PHP actively supports file uploads based on RFC1867. let's look at the example below: FORMMETHOD = "POST" ENCTYPE = "multipart/form-data" INPUTTYPE = "FILE" NAME = "hello" INPUTTYPE = "HIDDEN" NAME = "MAX_FILE_SIZE" VALUE =

PHP actively supports file Upload based on RFC 1867. let's look at the example below:

The code above allows the user to select a file from the local machine. after clicking submit, the file will be uploaded to the server. This is obviously very useful, but PHP's response method makes this function insecure. When PHP receives this kind of request for the first time, it will receive files from remote users before it starts to parse the called PHP code, check whether the file length exceeds the value defined by "$ MAX_FILE_SIZE variable". if you pass these tests, the file will be stored in a local temporary directory.

Therefore, attackers can send arbitrary files to the host running PHP. when the PHP program has not decided whether to receive file uploads, the files are already stored on the server.

I will not discuss the possibility of DOS attacks on the server by using file upload.

Let's take a look at the PHP program that processes file uploads. As we mentioned above, the file is received and stored on the server (the status is specified in the configuration file, usually/tmp ), the expanded name is generally random, similar to the "phpxXuoXG" situation. The PHP program needs to upload the file information for processing, which can be applied in PHP 3 in two ways, the other is introduced after we have made a security notice on the previous method.

However, the title still exists. most PHP programs still use the old method to process uploaded files. PHP sets four global variables to describe the uploaded files. for example, the above example:

$ Hello = Filename on local machine (e. g'/tmp/phpxxuoxg ')
$ Hello_size = Size in bytes of file (E.G 1024)
$ Hello_name = The original name of the file on the remote system (e. g 'C: \ temp \ hello.txt ')
$ Hello_type = Mime type of uploaded file (e. g 'text/plain ')

Then the PHP program starts to process the file specified according to "$ hello". The title is "$ hello". it is not necessarily a variable set by PHP. any remote user can specify it. Suppose we apply the following method:

Http: // vulnhost/vuln. php? Hello =/etc/passwd & hello_size = 10240 & hello_type = text/plain&hello_name=hello.txt

This leads to the following PHP global variables (of course, the POST method can also (or even Cookie )):

$ Hello = '/etc/passwd'
$ Hello_size = 10240
$ Hello_type = 'text/plain'
$ Hello_name = 'hello.txt'

The above form data satisfies the variables in the PHP program, but the PHP program no longer processes the uploaded files, instead, it processes "/etc/passwd" (which usually results in content ** exposure ). This attack can be used to expose the content of any sensitive file.