Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

PHP Upload file enhance security

Hey.. my question is how to prevent someone upload a virus or some malicious code with the extension you pretend for example i have a pdf file uploader, anyone can upload a binary with pdf camouflage there are lots of programs to do that.

like image 941
mandril Avatar asked May 01 '10 20:05

mandril


1 Answers

There are a number of secuirty concerns that arise with uploading files. The first problem is that the file might not be the file you want, in this case a pdf. The variable $_FILES['file_name']['type'] is controlled by the attacker can never be trusted. This value is commonly modified using exploit code or using tamperdata.

1)The first step in your secuirty system is to make sure the file has a .pdf extension:

if("pdf"!=substr($fileName, strrpos($fileName, '.') + 1)){
   die("Invalid File Type");
}

2)Next you should check what file type it is using the php filetype() function.

3)A serious problem is that these PDF files can exploit vulnerabilities such as buffer overflows commonly found in software made by Adobe. These PDF's are used to spread viruses in a Drive By Download attack.

The best solution is to install the web application firewall Mod_Security. This will stop attacks like sql injection and xss from hitting your web application. Mod_Secuirty can be configured to scan all upload files for viruses using modsec-clamscan .

like image 53
rook Avatar answered Sep 22 '22 19:09

rook