What could happen with upload img script?
Results 1 to 9 of 9

Thread: What could happen with upload img script?

  1. #1
    Junior Member
    Join Date
    Jun 2004
    Posts
    6

    What could happen with upload img script?

    Hi all,
    On a site I own I have a simple PHP upload script (source code at bottom of the post). I checked the directory the uploads goto and saw a file called something similar to :
    1111111111111111111111111111111111111111111111.jpg (but with about 10 times more 1's). So I downloaded it to see what it was and it said "You've been hacked by crfs". So obviously, this image was intended to overflow my script.

    Firstly, what could he gain access to if he did manage to overflow it? I've read up on application buffer overflows (software) but not so much on web-based overflows (the first thing ima do after this post is look up on them).

    Second, how could I prevent users from being able to upload scripts over 30 characters or something?

    Well, here is the source :
    <FORM ENCTYPE="multipart/form-data" ACTION="image.php" METHOD="POST">
    <html>
    <link href="style.css" rel="stylesheet" type="text/css">
    <body bgcolor="#647181">
    <table><tr><td>
    <font color="#ffffff">Select a file to upload. Only jpg/gif allowed. :</font> <INPUT TYPE="file" NAME="userfile">

    <INPUT TYPE="submit" VALUE="Upload">
    </FORM>

    PHP Code:
    <?php

    $path 
    "";
    $max_size 100000;

    if (!isset(
    $HTTP_POST_FILES['userfile'])) exit;

    if (
    is_uploaded_file($HTTP_POST_FILES['userfile']['tmp_name'])) {

    if (
    $HTTP_POST_FILES['userfile']['size']>$max_size) { echo "The file is too big
    \n"
    ; exit; }
    if ((
    $HTTP_POST_FILES['userfile']['type']=="image/gif") || ($HTTP_POST_FILES['userfile']['type']=="image/pjpeg") || ($HTTP_POST_FILES['userfile']['type']=="image/jpeg")) {

    if (
    file_exists($path $HTTP_POST_FILES['userfile']['name'])) { echo "The file already exists
    \n"
    ; exit; }

    $res copy($HTTP_POST_FILES['userfile']['tmp_name'], $path .
    $HTTP_POST_FILES['userfile']['name']);
    if (!
    $res) { echo "Upload Failed!
    \n"
    ; exit; } else { echo "Upload Successful  
    \n"
    ; }

    echo 
    "\n\nFile Name: http://www.censored.net/incoming/".$HTTP_POST_FILES['userfile']['name']."
    \n"
    ;
    echo 
    "File Size: ".$HTTP_POST_FILES['userfile']['size']." bytes
    \n"
    ;
    echo 
    "File Type: ".$HTTP_POST_FILES['userfile']['type']."
    \n"
    ;
    } else { echo 
    "Wrong file type
    \n"
    ; exit; }

    }

    ?>
    </td></tr></table>
    </body>
    </html>
    Security noob.

  2. #2
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    I don't know php but can't you convert the filename to a text string, test it's length and then disallow it if it is longer than a certain length?
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #3
    Junior Member
    Join Date
    Jun 2004
    Posts
    6
    I don't know php neither, that script was straight from hotscripts.com or somewhere, which is why I asked. Thanks anyway, I'll look into that.
    Security noob.

  4. #4
    Use the following code (it is a modification of my own code; use it instead of that code):

    PHP Code:
    &lt;?
    if(!isset(
    $_FILES['userfile'])) exit;

    $maxsize 100000;
    $uploadDir "upload/";
    $fsize $_FILES['userfile']['size'];
    $fmime $_FILES['userfile']['type'];

    $uploadName $_FILES['userfile']['name'];
    $fext substr($uploadName,strrpos($uploadName,'.')); 
    $uploadFile $uploadDir $uploadName;

    if((
    $fmime == "image/gif") || ($fmime == "image/jpeg") || ($fmime == "image/pjpeg")) {
      if(
    $fsize &lt$maxsize) {
        if(
    strlen($uploadName) &lt34) {
          
    uploadIt();
        } else {
          die(
    "&lt;strong&gt;Filename is over 30 characters.&lt;/strong&gt;");
        } 
      } else {
        die(
    "&lt;strong&gt;File is too large.&lt;/strong&gt;");
      }
     } else {
        die(
    "&lt;strong&gt;File type is invalid.&lt;/strong&gt;");
     }
    } else {
        
    uploadIt();

     
    function 
    uploadIt()
    {
     global 
    $uploadFile;
     if(
    move_uploaded_file($_FILES['userfile']['tmp_name'],$uploadFile)) {
       print 
    "&lt;strong&gt;File successfully uploaded&lt;/strong&gt;&lt;br /&gt;&lt;br /&gt;&lt;a href=\"$uploadDir\"&gt;Upload Directory&lt;/a&gt;";
     } else {
       print 
    "Upload &lt;strong&gt;FAILED!&lt;/strong&gt;&lt;br /&gt;";
     }
    }
    ?&
    gt
    --> MyWebsite <--

  5. #5
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    Is your upload directory accessable through the website? Is it correctly locked down?
    What happens if I fake the MIME-type (easily done) and upload a php script/executable?

    So I upload a hostile script (or executable) and trigger it by going to http://your.website/upload/myhostile.php.... If I do my job right and you didn't you would be dead in the water.....
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  6. #6
    Banned
    Join Date
    May 2003
    Posts
    1,004
    1: PHP handles buffers for you (idiot proof) so that attacker had no clue what they were doing.

    2. BOF attacks always work the same, no matter what they target... if successful they give the attacker the ability to do anything the the UID (and any other security beyond DAC if it exists) will allow the broken software to do. In this case it will have all the powers of prolly the nobody or apache UID.

    3. Either set the path outside http_root or set it to a non-executable directory (there are many ways to do this including the simplest of using php safe in the config file) and ensure the type matches the extention.

    catch

  7. #7
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    Catch: You're right about the BOF... But.... If I can upload and start a hostile application to your webserver I just need some local privilege escalation to get more then 'nobody' or 'www'. I don't have to do a remote exploit first to get access.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  8. #8
    Junior Member
    Join Date
    Jun 2004
    Posts
    1
    hi there

    this is my first post and my english could be better, but is it true, that the phpmodule itself isn't ... intelligent enough to see the difference between an image and another phpscript, so that I only change the type of mime that is send and the script will upload it? Is there a way to do another way to check if it's really an image?

  9. #9
    Even if you are checking to see whether the file type is a valid image, jpg, gif or png, would it be possible to create a malicious program that has an image file type? I've never heard of anything like this, but would it be possible?
    \"I have not failed. I\'ve just found 10,000 ways that won\'t work.\" - Albert Einstein

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •