-
June 8th, 2004, 09:03 PM
#1
Junior Member
What could happen with upload img script?
Hi all,
On a site I own I have a simple PHP upload script (source code at bottom of the post). I checked the directory the uploads goto and saw a file called something similar to :
1111111111111111111111111111111111111111111111.jpg (but with about 10 times more 1's). So I downloaded it to see what it was and it said "You've been hacked by crfs". So obviously, this image was intended to overflow my script.
Firstly, what could he gain access to if he did manage to overflow it? I've read up on application buffer overflows (software) but not so much on web-based overflows (the first thing ima do after this post is look up on them).
Second, how could I prevent users from being able to upload scripts over 30 characters or something?
Well, here is the source :
<FORM ENCTYPE="multipart/form-data" ACTION="image.php" METHOD="POST">
<html>
<link href="style.css" rel="stylesheet" type="text/css">
<body bgcolor="#647181">
<table><tr><td>
<font color="#ffffff">Select a file to upload. Only jpg/gif allowed. :</font> <INPUT TYPE="file" NAME="userfile">
<INPUT TYPE="submit" VALUE="Upload">
</FORM>
PHP Code:
<?php
$path = "";
$max_size = 100000;
if (!isset($HTTP_POST_FILES['userfile'])) exit;
if (is_uploaded_file($HTTP_POST_FILES['userfile']['tmp_name'])) {
if ($HTTP_POST_FILES['userfile']['size']>$max_size) { echo "The file is too big \n"; exit; }
if (($HTTP_POST_FILES['userfile']['type']=="image/gif") || ($HTTP_POST_FILES['userfile']['type']=="image/pjpeg") || ($HTTP_POST_FILES['userfile']['type']=="image/jpeg")) {
if (file_exists($path . $HTTP_POST_FILES['userfile']['name'])) { echo "The file already exists \n"; exit; }
$res = copy($HTTP_POST_FILES['userfile']['tmp_name'], $path .
$HTTP_POST_FILES['userfile']['name']);
if (!$res) { echo "Upload Failed! \n"; exit; } else { echo "Upload Successful \n"; }
echo "\n\nFile Name: http://www.censored.net/incoming/".$HTTP_POST_FILES['userfile']['name']." \n";
echo "File Size: ".$HTTP_POST_FILES['userfile']['size']." bytes \n";
echo "File Type: ".$HTTP_POST_FILES['userfile']['type']." \n";
} else { echo "Wrong file type \n"; exit; }
}
?>
</td></tr></table>
</body>
</html>
-
June 8th, 2004, 09:53 PM
#2
I don't know php but can't you convert the filename to a text string, test it's length and then disallow it if it is longer than a certain length?
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
June 8th, 2004, 10:04 PM
#3
Junior Member
I don't know php neither, that script was straight from hotscripts.com or somewhere, which is why I asked. Thanks anyway, I'll look into that.
-
June 9th, 2004, 01:59 AM
#4
Member
Use the following code (it is a modification of my own code; use it instead of that code):
PHP Code:
<?
if(!isset($_FILES['userfile'])) exit;
$maxsize = 100000;
$uploadDir = "upload/";
$fsize = $_FILES['userfile']['size'];
$fmime = $_FILES['userfile']['type'];
$uploadName = $_FILES['userfile']['name'];
$fext = substr($uploadName,strrpos($uploadName,'.'));
$uploadFile = $uploadDir . $uploadName;
if(($fmime == "image/gif") || ($fmime == "image/jpeg") || ($fmime == "image/pjpeg")) {
if($fsize < $maxsize) {
if(strlen($uploadName) < 34) {
uploadIt();
} else {
die("<strong>Filename is over 30 characters.</strong>");
}
} else {
die("<strong>File is too large.</strong>");
}
} else {
die("<strong>File type is invalid.</strong>");
}
} else {
uploadIt();
}
function uploadIt()
{
global $uploadFile;
if(move_uploaded_file($_FILES['userfile']['tmp_name'],$uploadFile)) {
print "<strong>File successfully uploaded</strong><br /><br /><a href=\"$uploadDir\">Upload Directory</a>";
} else {
print "Upload <strong>FAILED!</strong><br />";
}
}
?>
-
June 9th, 2004, 09:47 AM
#5
Is your upload directory accessable through the website? Is it correctly locked down?
What happens if I fake the MIME-type (easily done) and upload a php script/executable?
So I upload a hostile script (or executable) and trigger it by going to http://your.website/upload/myhostile.php.... If I do my job right and you didn't you would be dead in the water.....
Oliver's Law:
Experience is something you don't get until just after you need it.
-
June 9th, 2004, 01:14 PM
#6
1: PHP handles buffers for you (idiot proof) so that attacker had no clue what they were doing.
2. BOF attacks always work the same, no matter what they target... if successful they give the attacker the ability to do anything the the UID (and any other security beyond DAC if it exists) will allow the broken software to do. In this case it will have all the powers of prolly the nobody or apache UID.
3. Either set the path outside http_root or set it to a non-executable directory (there are many ways to do this including the simplest of using php safe in the config file) and ensure the type matches the extention.
catch
-
June 9th, 2004, 01:45 PM
#7
Catch: You're right about the BOF... But.... If I can upload and start a hostile application to your webserver I just need some local privilege escalation to get more then 'nobody' or 'www'. I don't have to do a remote exploit first to get access.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
June 9th, 2004, 04:36 PM
#8
Junior Member
hi there
this is my first post and my english could be better, but is it true, that the phpmodule itself isn't ... intelligent enough to see the difference between an image and another phpscript, so that I only change the type of mime that is send and the script will upload it? Is there a way to do another way to check if it's really an image?
-
June 9th, 2004, 04:46 PM
#9
Member
Even if you are checking to see whether the file type is a valid image, jpg, gif or png, would it be possible to create a malicious program that has an image file type? I've never heard of anything like this, but would it be possible?
\"I have not failed. I\'ve just found 10,000 ways that won\'t work.\" - Albert Einstein
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|