PHP file upload security issues

Read/etc/passwd!

..

[File Upload]
PHP automatically supports File Upload Based on RFC 1867. Let's look at the example below:

<Form method = "Post" enctype = "multipart/form-Data">
<Input type = "file" name = "hello">
<Input type = "hidden" name = "max_file_size" value = "10240">
<Input type = "Submit">
</Form>

The aboveCodeSelect a file from the local machine. When you click submit, the file will be uploaded to the server. This is obviously a very useful function, but PHP's response method makes this function insecure. When PHP receives such a request for the first time, and even before it starts parsing the called PHP code, it will first accept the files of remote users, check whether the file length exceeds the value defined by "$ max_file_size variable". If you pass these tests, the file will be stored in a local temporary directory.

Therefore, attackers can send arbitrary files to the host running PHP.ProgramYou have not decided whether to accept the File Upload. The file already exists on the server.

I will not discuss the possibility of DoS attacks on the server by using file upload.

Let's consider the PHP program that processes file uploads. As we mentioned above, the file is received and stored on the server (the location is specified in the configuration file, usually/tmp ), the extension is generally random, similar to the "phpxxuoxg" format. The PHP program needs to upload the file information for processing, which can be used in two ways, one is already used in PHP 3, the other is introduced after we propose a security bulletin for the previous method.

However, we can say with certainty that the problem still exists. Most PHP programs still use the old method to process uploaded files. PHP sets four global variables to describe the uploaded files. For example, the above example:

$ Hello = filename on Local Machine (e. g "/tmp/phpxxuoxg ")
$ Hello_size = size in bytes of file (e.g 1024)
$ Hello_name = the original name of the file on the remote system (e. g "C: \ temp \ hello.txt ")
$ Hello_type = MIME type of uploaded file (e. g "text/plain ")

Then the PHP program starts to process the Files specified according to "$ hello". The problem is that "$ hello" is not necessarily a variable set by PHP, and can be specified by any remote user. If we use the following method:

Http: // vulnhost/vuln. php? Hello =/etc/passwd & hello_size = 10240 & hello_type = text/plain&hello_name=hello.txt

This leads to the following PHP global variables (of course, the POST method can also (or even Cookie )):

$ Hello = "/etc/passwd"
$ Hello_size = 10240
$ Hello_type = "text/plain"
$ Hello_name = "hello.txt"

the above form data meets the expected variables of the PHP program, but the PHP program does not process uploaded files, instead, it processes "/etc/passwd" (which usually results in content exposure ). This attack can be used to expose the content of any sensitive file.