2 Replies - 932 Views - Last Post: 12 September 2013 - 03:50 AM Rate Topic: -----

#1 mutago234  Icon User is offline

  • D.I.C Head

Reputation: 0
  • View blog
  • Posts: 144
  • Joined: 08-September 13

php file upload vulnerability issues

Posted 11 September 2013 - 07:16 PM

This application only uploads .jpg images and when i tried uploading .gif, it displays errors. now i have 5 solid questions for experts

1: Is this code secured against directory tranversal attack.

2: is it secured against file upload vulnerability

3: how do i define a .htaccess file that will only allow access to files with allowed extensions eg. .jpg and gif

4: how do i ensured that .gif images are also uploaded

5: how do i configure the web server to deny access to the uploads directory


<?php
error_reporting(0);
// PDO connection
include('config.php');


// check content-type verification

$ext = substr($filename, strrpos($filename, '.') + 1);
 if( ($ext != "jpg") && ($_FILES["image"]["type"] != "image/jpeg") && ($ext != "gif") && ($_FILES["image"]["type"] != "image/gif")) {

echo "Sorry, only GIF and jpeg images can be uploaded later!";
exit;
}


// STOP hacker from embedding a shell script on image

$imageinfo = getimagesize($_FILES['image']['tmp_name']);
if($imageinfo['mime'] != 'image/gif' && $imageinfo['mime'] != 'image/jpeg') {
echo "Sorry, we only accept GIF and JPEG images";
exit;
}


$font_path = "GILSANUB.TTF"; // Font file
$font_size = 20; // in pixcels
$water_mark_text_2 = "My name is Mutago"; // Watermark Text


function watermark_text($oldimage_name, $new_image_name)
{
global $font_path, $font_size, $water_mark_text_2;


list($owidth,$oheight) = getimagesize($oldimage_name);
$width = $height = 400;
$image = imagecreatetruecolor($width, $height);
$image_src = imagecreatefromjpeg($oldimage_name);
imagecopyresampled($image, $image_src, 0, 0, 0, 0, $width, $height, $owidth, $oheight);
$blue = imagecolorallocate($image, 79, 166, 185);
imagettftext($image, $font_size, 0, 68, 190, $blue, $font_path, $water_mark_text_2);

//imagettftext($image, $font_size, 0, 68, 350, $blue, $font_path, $water_mark_text_2);


imagejpeg($image, $new_image_name, 100);
imagedestroy($image);
unlink($oldimage_name);
return true;
}



// rename and randomize imagename to make access impossible for hackers

$filename = strip_tags($HTTP_POST_FILES['image']['name']);
$filename = htmlspecialchars($HTTP_POST_FILES['image']['name'], ENT_QUOTES);

// random 4 digit to add to our file name
// some people use date and time in stead of random digit
//$random_digit=rand(0000,9999);
$random_digit=md5(uniqid(rand(), true));
//combine random digit to you file name to create new file name
//use dot (.) to combile these two variables

$new_file_name=$random_digit.$filename;





//check that we have a file
if((!empty($_FILES["image"])) && ($_FILES['image']['error'] == 0)) {
  //Check if the file is JPEG image and it's size is less than 750Kb
  $filename = strip_tags(basename($_FILES['image']['name']));

// check directory traversal by sanitizing filename
$filename = preg_replace('/[^a-zA-Z0-9-_\.]/','', $filename);
 

  $ext = substr($filename, strrpos($filename, '.') + 1);
  if (($ext == "jpg") && ($_FILES["image"]["type"] == "image/jpeg") &&
   ($_FILES["image"]["size"] < 750000) || ($ext == "gif") && ($_FILES["image"]["type"] == "image/gif") &&
   ($_FILES["image"]["size"] < 750000)) {
    
//  sanitizing

$location = 'uploads/'.strip_tags($new_file_name);

// check directory traversal by sanitizing new files
$new_file_name = preg_replace('/[^a-zA-Z0-9-_\.]/','', $new_file_name);
 
$uploadedby=strip_tags($_POST['uploadedby']);
$uploadedby=htmlspecialchars($_POST['uploadedby'], ENT_QUOTES);

      //Check if the file with the same name is already exists on the server
      if (!file_exists($location)) {
        //Attempt to move the uploaded file to it's new place
        if ((move_uploaded_file($_FILES['image']['tmp_name'],$location))) {


$new_name = $location.md5(uniqid(rand(), true)).".jpg";


        if(watermark_text($location.$_FILES['imgfile']['name'], $new_name)){
                $demo_image = $new_name;
                
    }
// insert into database

           echo "Upload Okay";
        } else {
           echo "Error: A problem occurred during file upload!";
        }
      } else {
         echo "File with this name already exists, Rename it";
      }
  } else {
     echo "Error: Only .jpg images under 750Kb are accepted for upload";
  }
} else {
 echo "Error: No file uploaded";
}
?>




Is This A Good Question/Topic? 0
  • +

Replies To: php file upload vulnerability issues

#2 Atspulgs  Icon User is offline

  • D.I.C Regular

Reputation: 68
  • View blog
  • Posts: 380
  • Joined: 29-July 09

Re: php file upload vulnerability issues

Posted 11 September 2013 - 10:14 PM

Well I'm not an expert in security, but I did find this. Maybe you can take a look at that and see what you have done and what you havent to secure the upload. Sadly I dont know its credibility.

If you want a serious answer to your questions about security, I suggest you check out OWASP.
Was This Post Helpful? 0
  • +
  • -

#3 Atli  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 3710
  • View blog
  • Posts: 5,958
  • Joined: 08-June 10

Re: php file upload vulnerability issues

Posted 12 September 2013 - 03:50 AM

I don't know where you got this code, but it looks like parts of it are ancient. At one point there it's using $HTTP_POST_FILES, which has been deprecated for some 12 years now.

You also seem to be overusing strip_tags a lot. You keep using it on values that are never even printed. It's a function meant to clean up user input before printing it into HTML pages. As such, there is little point using it on values that are never printed.

View Postmutago234, on 12 September 2013 - 02:16 AM, said:

3: how do i define a .htaccess file that will only allow access to files with allowed extensions eg. .jpg and gif

You could add a .htaccess file into the directory in question that denies access to every visitor, and then used the FilesMatch directive to selectively allow access to files with a given extension.

View Postmutago234, on 12 September 2013 - 02:16 AM, said:

4: how do i ensured that .gif images are also uploaded

Same way you ensured that .jpeg files are uploaded, except using "gif" instead of "jpeg". This should not be hard, given that you understand what your current code is doing.

View Postmutago234, on 12 September 2013 - 02:16 AM, said:

5: how do i configure the web server to deny access to the uploads directory

Either put a .htaccess file in there with a Deny directive, or put a Directory directive into the config file for the server or virtual host. (Depending on your setup.)
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1