Security title for file upload in PHP programs on dynamic web pages

Source: Internet
Author: User
PHP actively supports file uploads based on RFC1867. let's look at the example below: FORMMETHOD = "POST" ENCTYPE = "multipart/form-data" INPUTTYPE = "FILE" NAME = "hello" INPUTTYPE = "HIDDEN" NAME = "MAX_FILE_SIZE" VALUE =

PHP actively supports file Upload based on RFC 1867. let's look at the example below:

The code above allows the user to select a file from the local machine. after clicking submit, the file will be uploaded to the server. This is obviously very useful, but PHP's response method makes this function insecure. When PHP receives this kind of request for the first time, it will receive files from remote users before it starts to parse the called PHP code, check whether the file length exceeds the value defined by "$ MAX_FILE_SIZE variable". if you pass these tests, the file will be stored in a local temporary directory.

Therefore, attackers can send arbitrary files to the host running PHP. when the PHP program has not decided whether to receive file uploads, the files are already stored on the server.

I will not discuss the possibility of DOS attacks on the server by using file upload.

Let's take a look at the PHP program that processes file uploads. As we mentioned above, the file is received and stored on the server (the status is specified in the configuration file, usually/tmp ), the expanded name is generally random, similar to the "phpxXuoXG" situation. The PHP program needs to upload the file information for processing, which can be applied in PHP 3 in two ways, the other is introduced after we have made a security notice on the previous method.

However, the title still exists. most PHP programs still use the old method to process uploaded files. PHP sets four global variables to describe the uploaded files. for example, the above example:

$ Hello = Filename on local machine (e. g'/tmp/phpxxuoxg ')
$ Hello_size = Size in bytes of file (E.G 1024)
$ Hello_name = The original name of the file on the remote system (e. g 'C: \ temp \ hello.txt ')
$ Hello_type = Mime type of uploaded file (e. g 'text/plain ')

Then the PHP program starts to process the file specified according to "$ hello". The title is "$ hello". it is not necessarily a variable set by PHP. any remote user can specify it. Suppose we apply the following method:

Http: // vulnhost/vuln. php? Hello =/etc/passwd & hello_size = 10240 & hello_type = text/plain&hello_name=hello.txt

This leads to the following PHP global variables (of course, the POST method can also (or even Cookie )):

$ Hello = '/etc/passwd'
$ Hello_size = 10240
$ Hello_type = 'text/plain'
$ Hello_name = 'hello.txt'

The above form data satisfies the variables in the PHP program, but the PHP program no longer processes the uploaded files, instead, it processes "/etc/passwd" (which usually results in content ** exposure ). This attack can be used to expose the content of any sensitive file.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.