Menu
Hey.. my question is how to prevent someone upload a virus or some malicious code with the extension you pretend for example i have a pdf file uploader, anyone can upload a binary with pdf camouflage there are lots of programs to do that.
941
There are a number of secuirty concerns that arise with uploading files. The first problem is that the file might not be the file you want, in this case a pdf. The variable $_FILES['file_name']['type'] is controlled by the attacker can never be trusted. This value is commonly modified using exploit code or using tamperdata.
1)The first step in your secuirty system is to make sure the file has a .pdf extension:
if("pdf"!=substr($fileName, strrpos($fileName, '.') + 1)){
die("Invalid File Type");
}
2)Next you should check what file type it is using the php filetype() function.
3)A serious problem is that these PDF files can exploit vulnerabilities such as buffer overflows commonly found in software made by Adobe. These PDF's are used to spread viruses in a Drive By Download attack.
The best solution is to install the web application firewall Mod_Security. This will stop attacks like sql injection and xss from hitting your web application. Mod_Secuirty can be configured to scan all upload files for viruses using modsec-clamscan .
53
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
