Security problem of file uploading in Dynamic Web PHP program

Source: Internet
Author: User
Tags file upload variables php code

PHP automatically supports file uploads based on RFC 1867, let's look at the following example:

<form method= "POST" enctype= "Multipart/form-data" >
<input type= "FILE" name= "Hello" >
<input type= "HIDDEN" name= "max_file_size" value= "10240" >
<input type= "SUBMIT" >
</FORM>

The above code allows the user to select a file from the local machine, and the file is uploaded to the server when the submission is clicked. This is obviously a useful feature, but the way PHP responds makes this feature unsafe. When PHP first receives this request, and even before it starts parsing the invoked PHP code, it accepts the remote user's file, checking whether the file is longer than the value defined by the "$MAX _file_size variable", if you pass these tests, The file will be present in a local temporary directory.

As a result, an attacker could send arbitrary files to the host running PHP, and the file was already on the server when the PHP program had not yet decided whether to accept the file upload.

Here I will not discuss the possibility of using file uploads to Dos attacks on a server.

Let's consider the PHP program that handles file uploads, as we said above, the files are received and exist on the server (the location is specified in the configuration file, generally/tmp), and the extension is generally random, similar to the "Phpxxuoxg" form. The PHP program needs to upload information about the file to handle it, which can be done in two ways, one in PHP 3, and one in the security bulletin we put in the previous method.

However, we can say for sure that the problem still exists, most PHP programs still use the old way to process uploaded files. PHP set up four global variables to describe the uploaded file, such as the above example:

$hello = Filename on the local machine (e.g "/TMP/PHPXXUOXG")
$hello _size = size in bytes of file (e.g 1024)
$hello _name = The original name of the file on the remote system (e.g "C:\\temp\\hello.txt")
$hello _type = Mime type of uploaded file (e.g "Text/plain")

Then the PHP program starts processing the file specified according to "$hello", the problem is that "$hello" is not necessarily a variable of PHP settings, and any remote user can specify it. If we use the following method:

Http://vulnhost/vuln.php?hello=/etc/passwd&hello_size=10240&hello_type=text/plain&hello_name= Hello.txt

leads to the following PHP global variable (and, of course, the post can be (or even a cookie)):

$hello = "/etc/passwd"
$hello _size = 10240
$hello _type = "Text/plain"
$hello _name = "Hello.txt"

The form data above satisfies the variables expected by the PHP program, but when the PHP program no longer processes the uploaded file, it handles the "/etc/passwd" (which usually results in content exposure). This attack can be used to expose the contents of any sensitive file.



Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.