jpg extension (a file extension that is presumably allowed), which would contain PHP code instead of an image and this would allow for code execution. An attacker would then proceed to upload a file with a. The above configuration would instruct the Apache HTTP Server to execute JPEG images as though they were PHP scripts. htaccess file with the following contents. One possible way an attacker could bypass a file extension blacklist on an Apache HTTP Server is to first upload an. A whitelisting approach in this use case is by far more effective. For example, the attacker may change the letters in the extension to their capital forms (. While this could be somewhat effective against some file types, the choice of employing a blacklist is a poor one since practically impossible to compile a list of all possible file extensions that an attacker could abuse use, especially if the application is running within an environment that allows a large number of scripting languages, such as Perl, Python, Ruby, and others – the list is endless. Upload forms using this mechanism would check the extension of the file that is being uploaded and compare its file extension to a list of extensions that the application considers harmful. Blacklisting File ExtensionsĪnother weak validation method that is widely used in file upload forms is to use a blacklist of types of files that have dangerous extensions. To such an extent, an attacker could easily upload a malicious PHP file with an allowed MIME-type that could lead to server compromise. Since an attacker could easily control the MIME-type by sending the server a crafted HTTP POST request, such validation is trivial for an attacker to bypass. For example, with PHP, when a file is uploaded to the server, PHP will set the variable $_FILES to the MIME-type provided by the web client. MIME-type ValidationĪ common mistake made when securing file upload forms is to only check the MIME-type returned by the application runtime. To such an extent, an attacker could easily upload a malicious PHP that could lead to server compromise. In this simple example, no restrictions are imposed by the server-side script on what file types are allowed to be uploaded to the server. Therefore the files can be accessed using a URL such as. In this case, the destination is below the server root. The move_uploaded_file() PHP function will move the temporary file to a location provided by the user. $_FILES: The temporary filename in which the uploaded file was stored on the server.$_FILES: The size of the file in bytes.$_FILES: The original name of the file on the client machine. ![]() The PHP interpreter will also populate the global array $_FILES with the information about the uploaded file as follows. When the PHP interpreter receives an HTTP POST method request of the multipart/form-data encoding type, the script will create a temporary file with a random name in a temporary directory on the server, for example, /var/tmp/php6yXOVs. ![]() The following example contains such an HTML form and a server-side script written in PHP. No ValidationĪ simple file upload form typically consists of an HTML form which is presented to the client and a server-side script that processes the file being uploaded. This article will present eight common flawed methods of securing upload forms, and how easily an attacker could bypass such defenses. Worst still, several web applications contain insecure, unrestricted file upload mechanisms. Naturally, despite the security concerns surrounding the ability for end-users to upload files, it is an increasingly common requirement in modern web applications.įile uploads carry a significant risk that not many are aware of, or how to mitigate against abuses. Allowing file uploads by end users, especially if done without a full understanding of the risks associated with it, is akin to opening the floodgates for server compromise.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |