What could happen with upload img script?

[lomu]

Hi all,
On a site I own I have a simple PHP upload script (source code at bottom of the post). I checked the directory the uploads goto and saw a file called something similar to :
1111111111111111111111111111111111111111111111.jpg (but with about 10 times more 1's). So I downloaded it to see what it was and it said "You've been hacked by crfs". So obviously, this image was intended to overflow my script.

Firstly, what could he gain access to if he did manage to overflow it? I've read up on application buffer overflows (software) but not so much on web-based overflows (the first thing ima do after this post is look up on them).

Second, how could I prevent users from being able to upload scripts over 30 characters or something?

Well, here is the source :

<FORM ENCTYPE="multipart/form-data" ACTION="image.php" METHOD="POST">
<html>
<link href="style.css" rel="stylesheet" type="text/css">
<body bgcolor="#647181">
<table><tr><td>
<font color="#ffffff">Select a file to upload. Only jpg/gif allowed. :</font> <INPUT TYPE="file" NAME="userfile">

<INPUT TYPE="submit" VALUE="Upload">
</FORM>

PHP Code:

<?php

$path = "";
$max_size = 100000;

if (!isset($HTTP_POST_FILES['userfile'])) exit;

if (is_uploaded_file($HTTP_POST_FILES['userfile']['tmp_name'])) {

if ($HTTP_POST_FILES['userfile']['size']>$max_size) { echo "The file is too big
\n"; exit; }
if (($HTTP_POST_FILES['userfile']['type']=="image/gif") || ($HTTP_POST_FILES['userfile']['type']=="image/pjpeg") || ($HTTP_POST_FILES['userfile']['type']=="image/jpeg")) {

if (file_exists($path . $HTTP_POST_FILES['userfile']['name'])) { echo "The file already exists
\n"; exit; }

$res = copy($HTTP_POST_FILES['userfile']['tmp_name'], $path .
$HTTP_POST_FILES['userfile']['name']);
if (!$res) { echo "Upload Failed!
\n"; exit; } else { echo "Upload Successful  
\n"; }

echo "\n\nFile Name: http://www.censored.net/incoming/".$HTTP_POST_FILES['userfile']['name']."
\n";
echo "File Size: ".$HTTP_POST_FILES['userfile']['size']." bytes
\n";
echo "File Type: ".$HTTP_POST_FILES['userfile']['type']."
\n";
} else { echo "Wrong file type
\n"; exit; }

}

?>

</td></tr></table>
</body>
</html>

[Tiger Shark]

I don't know php but can't you convert the filename to a text string, test it's length and then disallow it if it is longer than a certain length?

[lomu]

I don't know php neither, that script was straight from hotscripts.com or somewhere, which is why I asked. Thanks anyway, I'll look into that.

[klassasin]

Use the following code (it is a modification of my own code; use it instead of that code):

PHP Code:

<?
if(!isset($_FILES['userfile'])) exit;

$maxsize = 100000;
$uploadDir = "upload/";
$fsize = $_FILES['userfile']['size'];
$fmime = $_FILES['userfile']['type'];

$uploadName = $_FILES['userfile']['name'];
$fext = substr($uploadName,strrpos($uploadName,'.')); 
$uploadFile = $uploadDir . $uploadName;

if(($fmime == "image/gif") || ($fmime == "image/jpeg") || ($fmime == "image/pjpeg")) {
  if($fsize < $maxsize) {
    if(strlen($uploadName) < 34) {
      uploadIt();
    } else {
      die("<strong>Filename is over 30 characters.</strong>");
    } 
  } else {
    die("<strong>File is too large.</strong>");
  }
 } else {
    die("<strong>File type is invalid.</strong>");
 }
} else {
    uploadIt();
} 
 
function uploadIt()
{
 global $uploadFile;
 if(move_uploaded_file($_FILES['userfile']['tmp_name'],$uploadFile)) {
   print "<strong>File successfully uploaded</strong><br /><br /><a href=\"$uploadDir\">Upload Directory</a>";
 } else {
   print "Upload <strong>FAILED!</strong><br />";
 }
}
?> 


[SirDice]

Is your upload directory accessable through the website? Is it correctly locked down?
What happens if I fake the MIME-type (easily done) and upload a php script/executable?

So I upload a hostile script (or executable) and trigger it by going to http://your.website/upload/myhostile.php.... If I do my job right and you didn't you would be dead in the water.....

[catch]

1: PHP handles buffers for you (idiot proof) so that attacker had no clue what they were doing.

2. BOF attacks always work the same, no matter what they target... if successful they give the attacker the ability to do anything the the UID (and any other security beyond DAC if it exists) will allow the broken software to do. In this case it will have all the powers of prolly the nobody or apache UID.

3. Either set the path outside http_root or set it to a non-executable directory (there are many ways to do this including the simplest of using php safe in the config file) and ensure the type matches the extention.

catch

[SirDice]

Catch: You're right about the BOF... But.... If I can upload and start a hostile application to your webserver I just need some local privilege escalation to get more then 'nobody' or 'www'. I don't have to do a remote exploit first to get access.

[ellion]

hi there

this is my first post and my english could be better, but is it true, that the phpmodule itself isn't ... intelligent enough to see the difference between an image and another phpscript, so that I only change the type of mime that is send and the script will upload it? Is there a way to do another way to check if it's really an image?

[CS4Life]

Even if you are checking to see whether the file type is a valid image, jpg, gif or png, would it be possible to create a malicious program that has an image file type? I've never heard of anything like this, but would it be possible?