[PHP] File Upload Security
One of my sites has been hacked and I'm trying to find the hole. The hack code creates dirs with nobody ownership, so it's obvious stuff is not via ftp [ownership would be foo] Site is virtual host, Linux/Apache I'm concerned about a file uploader my users use to upload photos. Can anyone see a hole in this scrip? Can my code upload an executable masquerading as an image file? $filetype = array(gif, jpg, jpeg, png, txt, css) function csvt_file_upload($filetype, $max_size) { $prohibits = array(exe, php, inc, php3, pl, bat, cgi); //common executables. $absolute_max_size = 200; end($_FILES); //get the name used by the html input. $name = key($_FILES); //could use the register variables, but this is safer. if(isset($_FILES[$name]['name'])) $input_name = $_FILES[$name]['name']; $error = no; //reset for error checks if (!isset($filetype)) { echo p style=\color:red\ File type assignment missing /p ; $error = yes; }; if (!isset($max_size)) { echo p style=\color:red\ Max file size assignment missing./p; $error = yes; }; $filename = $_FILES[$name]['name']; $tmp_name = $_FILES[$name]['tmp_name']; $size = $_FILES[$name]['size']; $absolute_path_file = getcwd(). DATA_DIR . $filename; if (($size = $max_size) OR ($size $absolute_max_size)) { echo p style=\color:red\ File size is too large./p ; $error = yes; } $ext = substr(strrchr($filename, .), 1); //get the extension, remove the . if (in_array($ext, $prohibits)) { echo p style=\color:red\Illegal file type, executable./p\r\n; $error = yes; } if (is_executable($filename)) { echo p style=\color:red\Illegal file type, executable file./p\r\n; $error = yes; } //This is a double check in case $prohibits is incomplete. if (is_array($filetype) AND !in_array($ext, $filetype)) { echo p style=\color:red\Illegal file type./p\r\n; $error = yes; } if(!is_array($filetype) AND ($filetype != $ext)){ echo p style=\color:red\Illegal file type./p\r\n; $error = yes; } if ($error == yes) { echo p style=\color:red\There was an error(s) with your file selection \$input_name\ as the note(s) indicates. Please reselect, or remove your file selection and email for help. /p\r\n; } else { if(!move_uploaded_file($tmp_name, $absolute_path_file)) die(p style=\color:red\There was an error saving your file. Check permissions of . DATA_DIR . Must be 777 /p\r\n); chmod($absolute_path_file, 0644); } return; } -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] File Upload Security
How was it hacked? That will help determine what kind of exploit might have been used. On 4/11/08, Al [EMAIL PROTECTED] wrote: One of my sites has been hacked and I'm trying to find the hole. The hack code creates dirs with nobody ownership, so it's obvious stuff is not via ftp [ownership would be foo] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] File Upload Security
The hack puts this .htaccess in dozens of dirs RewriteEngine On RewriteCond %{HTTP_REFERER} ^http://([a-z0-9_\-]+\.)*(google|msn|yahoo|live|ask|dogpile|mywebsearch|yandex|rambler|aport|mail|gogo|poisk|alltheweb|fireball|freenet|abacho|wanadoo|free|club-internet|aliceadsl|alice|skynet|terra|ya|orange|clix|terravista|gratis-ting|suomi24)\. [NC] RewriteCond %{HTTP_REFERER} [?](q|query|qs|searchfor|search_for|w|p|r|key|keywords|search_string|search_word|buscar|text|words|su|qt|rdata)\= RewriteCond %{HTTP_REFERER} ![?](q|query|qs|searchfor|search_for|w|p|r|key|keywords|search_string|search_word|buscar|text|words|su|qt|rdata)\=[^]+(%3A|%22) RewriteCond %{TIME_SEC} 59 RewriteRule ^.*$ /StartLocs/maps/kapicag/ex3/t.htm [L] # a995d2cc661fa72452472e9554b5520c The kapicag/ex3/t.htm appears to be phishing site. mike wrote: How was it hacked? That will help determine what kind of exploit might have been used. On 4/11/08, Al [EMAIL PROTECTED] wrote: One of my sites has been hacked and I'm trying to find the hole. The hack code creates dirs with nobody ownership, so it's obvious stuff is not via ftp [ownership would be foo] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] File Upload Security
I would recommend something more strong http://www.php.net/manual/en/function.exif-imagetype.php or if you dont have exif http://www.php.net/manual/en/function.getimagesize.php will do also a trick. One more thing, you are also allowing .txt and .css which may be potential hole, as Apache can run .css also through PHP engine if configured to do so. Sometimes I use PHP to process CSS so I can have dynamic CSS for some rare cases. On Apr 12, 2008, at 2:24 AM, Al wrote: One of my sites has been hacked and I'm trying to find the hole. The hack code creates dirs with nobody ownership, so it's obvious stuff is not via ftp [ownership would be foo] Site is virtual host, Linux/Apache I'm concerned about a file uploader my users use to upload photos. Can anyone see a hole in this scrip? Can my code upload an executable masquerading as an image file? $filetype = array(gif, jpg, jpeg, png, txt, css) function csvt_file_upload($filetype, $max_size) { $prohibits = array(exe, php, inc, php3, pl, bat, cgi); //common executables. $absolute_max_size = 200; end($_FILES); //get the name used by the html input. $name = key($_FILES); //could use the register variables, but this is safer. if(isset($_FILES[$name]['name'])) $input_name = $_FILES[$name] ['name']; $error = no; //reset for error checks if (!isset($filetype)) { echo p style=\color:red\ File type assignment missing /p ; $error = yes; }; if (!isset($max_size)) { echo p style=\color:red\ Max file size assignment missing./p; $error = yes; }; $filename = $_FILES[$name]['name']; $tmp_name = $_FILES[$name]['tmp_name']; $size = $_FILES[$name]['size']; $absolute_path_file = getcwd(). DATA_DIR . $filename; if (($size = $max_size) OR ($size $absolute_max_size)) { echo p style=\color:red\ File size is too large./p ; $error = yes; } $ext = substr(strrchr($filename, .), 1); //get the extension, remove the . if (in_array($ext, $prohibits)) { echo p style=\color:red\Illegal file type, executable./p\r\n; $error = yes; } if (is_executable($filename)) { echo p style=\color:red\Illegal file type, executable file./p\r\n; $error = yes; } //This is a double check in case $prohibits is incomplete. if (is_array($filetype) AND !in_array($ext, $filetype)) { echo p style=\color:red\Illegal file type./p\r\n; $error = yes; } if(!is_array($filetype) AND ($filetype != $ext)){ echo p style=\color:red\Illegal file type./p\r\n; $error = yes; } if ($error == yes) { echo p style=\color:red\There was an error(s) with your file selection \$input_name\ as the note(s) indicates. Please reselect, or remove your file selection and email for help. /p\r\n; } else { if(!move_uploaded_file($tmp_name, $absolute_path_file)) die(p style=\color:red\There was an error saving your file. Check permissions of . DATA_DIR . Must be 777 /p\r\n); chmod($absolute_path_file, 0644); } return; } -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Igor Jocic http://www.carster.us/
Re: [PHP] File Upload Security
Al wrote: One of my sites has been hacked and I'm trying to find the hole. The hack code creates dirs with nobody ownership, so it's obvious stuff is not via ftp [ownership would be foo] Site is virtual host, Linux/Apache I'm concerned about a file uploader my users use to upload photos. !-- SNIP -- First off, file type means NOTHING to people using uploaders. I have had a number of people try to hack my site with my uploader and they never succeed. If you don't parse the first few lines of the file, you're probably gonna find yourself hacked again. Depending on the size of the machine, you could just read the whole file and look for php somewhere in it, and if it exists, erase immediately. image.php.gif.jpg would pass your test as far as checking extensions. I have a number of the scripts used by others to try to hack my site available for download/review. If you search the archives, you should find them. If not, contact me directly and I'll send you the link to them. HTH, Wolf -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] File Upload Security and chmod
At 6:43 PM -0500 9/26/06, Richard Lynch wrote: On Mon, September 25, 2006 3:58 pm, Andy Hultgren wrote: -- Since I'm only allowing image uploads, I can strictly filter which files are allowed to be uploaded (with extension checks and get_image_size). Extension check is kinda useless... I can name any file I want with .jpg and upload it. get_image_size() is good, as it checks the first N bytes -- But somebody somewhere can construct a worm with the first N bytes that LOOK like a valid image, to get_image_size() A human eyeball check would be even better, as then you *know* that a much larger number of bytes are a valid image. It could still be image+worm with the worm tacked on at the end, and a valid image at the front, which the browser would probably just go ahead and display as valid image. :-( The odds of somebody able to construct a valid-looking image whose exact byte sequence is also a worm are pretty low, but not impossible... :-) That's one of the reasons why I resize images I upload -- image files are never stored as-is. I figure that any possible worms contained therein will probably be damaged beyond working after a shuffle. After all, code is usually sensitive to alteration. So when you read advice to use 0777 you can immediately change that to 0700, because the only access needed is for you, not your group, and not the world of other users on that machine. Excellent point -- thanks. tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] File Upload Security and chmod
On Wed, September 27, 2006 10:11 am, tedd wrote: So when you read advice to use 0777 you can immediately change that to 0700, because the only access needed is for you, not your group, and not the world of other users on that machine. Excellent point -- thanks. This applies only to Andy -- or those whose server runs as themself Tedd, whose server runs as nobody or some other user, still need 0777 or the FTP hoop-jumping. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] File Upload Security and chmod
So I've been trying to figure out where php uploads files to temporarily store them before I move them to their permanent storage directory, and I'm having some difficulties: -- php_info() says the temporary file upload directory is /tmp but I don't know if that's relative to my root directory or what and can't figure out from the documentation how that path is displayed. -- I have tried to call pathinfo() and realpath() on my $_FILES['name']['tmp_name'] file before it is moved, but neither gives the full path to the file (which I realized after reading the documentation that neither is supposed to do). Any ideas on functions that will give the full path of the inputted file? I've been searching the php documentation and general list but to no avail. On the plus side, I did get to practice writing information to a text file, so that was fun :) Thanks for the tips on the chmod requirements for the get_image_size() function, I'm all about keep permissions as strict as possible at this point! Crap, gotta use my brain, huh? :) Seriously, thanks for the overview on how security should be approached and for the advice to not take general security recommendations at face value but to give them some thought, given my unique situation. This is really good for me to learn now, while I'm still implementing my security rather than later when I might have to redo everything (or might have a gaping hole based on a poor assumption). At least I won't be storing anyone's financial information, so I should only be a target for people who just want to be mean, but not people who want to get free stuff from others credit info. Maybe I should have one of those disclaimers posted on my homepage like the ones that you see in taxis sometimes: This driver never carries more than $20 cash. -- This website never carries anyone's financial information. :) Andy On 9/26/06, Richard Lynch [EMAIL PROTECTED] wrote: On Mon, September 25, 2006 3:58 pm, Andy Hultgren wrote: So I tried to implement the example code given in the php tmpfile() documentation and it wouldn't do anything, which suggests that I don't have access to the /tmp directory. Also, the FAQ's section on my server's website say that /tmp is not shared between the servers. So, looks like /tmp option is out... Did they perhaps give you your own tmp directory elsewhere?... Sometimes you just need to poke at it to figure out where your tmp is, and then you can use the PHP functions that let you specify your own directory, but not the ones that assume that system /tmp is your tmp My host has a tmp dir I can use, but it ain't /tmp, and PHP routinely tries to use /tmp with some functions. G. So, let me see if I understand the situation I'm looking at here: The bad side: -- I don't have any place to put uploaded files outside of my webtree, which makes it tough to ensure these files cannot be surfed to once they are uploaded, and also means I have to do my security checks while the files are within my webtree and potentially accessible. (BAD). Yes. Though if file uploads are working at all, looking at the $_FILES array may give you a clue as to a directory that you maybe *can* access which is your own private tmp... -- Any php script on my server (created by me or somehow maliciously uploaded) can do whatever it wants within my account because all php scripts run as me. (also BAD). On the plus side, some of the coding gets real simple, since you are you, and you are never somebody else. :-) The good side: -- Uploaded files can be chmod so that nobody can read them, then I chmod them when I need to use them. This adds a layer of protection for completely uploaded files. I assume this will not help with files while they are getting their security checks, since PHP has to be able to read and execute them in order to run the checks (get_image_size, etc.)? PHP needs to read them for get_image_size, but not execute. Use minimum force needed. If you are flipping the chmod around within your scripts, that reduces your risk to however long the dir remains in its 0777 (or whatever) state, which is however long your script takes to process whatever it has to process in that state. So long exhaustive checks of the validity of a file are bad because that leaves that window open longer, but they're good because the file is then more likely to be kosher. -- Since I'm only allowing image uploads, I can strictly filter which files are allowed to be uploaded (with extension checks and get_image_size). Extension check is kinda useless... I can name any file I want with .jpg and upload it. get_image_size() is good, as it checks the first N bytes -- But somebody somewhere can construct a worm with the first N bytes that LOOK like a valid image, to get_image_size() A human eyeball check would be even better, as then you *know* that a much larger number of bytes are a valid image. It could still be image+worm with the worm
Re: [PHP] File Upload Security and chmod
On Wed, September 27, 2006 12:12 pm, Andy Hultgren wrote: So I've been trying to figure out where php uploads files to temporarily store them before I move them to their permanent storage directory, and I'm having some difficulties: -- php_info() says the temporary file upload directory is /tmp but I don't know if that's relative to my root directory or what and can't figure out from the documentation how that path is displayed. /tmp means the /tmp on the root of the hard drive, which your webhost allegedly isn't letting you share... HOWEVER: It is entirely possible (nay, even likely) that they have you in a ch-rooted environment where your /tmp is not somebody else's /tmp so you'll just see /tmp and you don't have to worry about the fact that it's not really really /tmp but somewhere else... -- I have tried to call pathinfo() and realpath() on my $_FILES['name']['tmp_name'] file before it is moved, but neither gives the full path to the file If $_FILES['name']['tmp_name'] does already have the full path, something is very wrong on your system... Note that as soon as your upload-receiving script ends, the file is deleted. You *have* to use move_uploaded_file() on it in the upload-receiving script to save the file somewhere else, or it's just gonna go away, and you ain't gonna see it never again. Maybe I should have one of those disclaimers posted on my homepage like the ones that you see in taxis sometimes: This driver never carries more than $20 cash. -- This website never carries anyone's financial information. :) :-) While there are obviously people out there who will just attack randomly, (spammers) I honestly believe that a valuable/useful/warm-fuzzies site (in the eyes of the attackers) is a much less likely target for an actual human attack. I have absolutely zero evidence to support that claim, other than one site that's been wide open to abuse for most of a decade, and only the mindless spam-bots bother it... :-) -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] File Upload Security and chmod
Well, seeing as I have no directory anywhere in my file structure called /tmp and yet my file uploads are still working, it would appear that my temporary file upload directory /tmp given by php_info() is somewhere outside of my root directory. So that's good news! That's were I'll be doing my file checks anyway before moving any files into my root directory. Anyway, at this point it looks like I need to buckle down and do some thinkin'. Thank you everyone for your advice, I really really appreciate it!! You guys have given me a really good foundation to start from on these questions of site security, and I appreciate you taking the time to pass on your expertise to a newcomer. All the best, Andy On 9/27/06, Richard Lynch [EMAIL PROTECTED] wrote: On Wed, September 27, 2006 12:12 pm, Andy Hultgren wrote: So I've been trying to figure out where php uploads files to temporarily store them before I move them to their permanent storage directory, and I'm having some difficulties: -- php_info() says the temporary file upload directory is /tmp but I don't know if that's relative to my root directory or what and can't figure out from the documentation how that path is displayed. /tmp means the /tmp on the root of the hard drive, which your webhost allegedly isn't letting you share... HOWEVER: It is entirely possible (nay, even likely) that they have you in a ch-rooted environment where your /tmp is not somebody else's /tmp so you'll just see /tmp and you don't have to worry about the fact that it's not really really /tmp but somewhere else... -- I have tried to call pathinfo() and realpath() on my $_FILES['name']['tmp_name'] file before it is moved, but neither gives the full path to the file If $_FILES['name']['tmp_name'] does already have the full path, something is very wrong on your system... Note that as soon as your upload-receiving script ends, the file is deleted. You *have* to use move_uploaded_file() on it in the upload-receiving script to save the file somewhere else, or it's just gonna go away, and you ain't gonna see it never again. Maybe I should have one of those disclaimers posted on my homepage like the ones that you see in taxis sometimes: This driver never carries more than $20 cash. -- This website never carries anyone's financial information. :) :-) While there are obviously people out there who will just attack randomly, (spammers) I honestly believe that a valuable/useful/warm-fuzzies site (in the eyes of the attackers) is a much less likely target for an actual human attack. I have absolutely zero evidence to support that claim, other than one site that's been wide open to abuse for most of a decade, and only the mindless spam-bots bother it... :-) -- Like Music? http://l-i-e.com/artists.htm
Re: [PHP] File Upload Security and chmod
The FTP will be slower, almost for sure. He's doing it because he can FTP in as himself, and not as the nobody user Apache runs as. Your webhost has you running as yourself already, so you can chmod your files at will in PHP. On Mon, September 25, 2006 2:11 pm, Andy Hultgren wrote: Tedd, Thanks so much your thorough response - it's good to know that I'm not the only one trying to figure this out! I'm curious, in your code you use the PHP ftp functions, but I have used the PHP functions chmod() and mkdir() without establishing an ftp connection. Is it faster to establish an ftp connection within PHP and then use the ftp series of functions to accomplish all of the directory creation and permissions changes? If so, then I will probably change my code to follow yours. Andy On 9/25/06, tedd [EMAIL PROTECTED] wrote: At 9:32 PM -0600 9/24/06, Andy Hultgren wrote: Hi Tedd, Yes, when I browse to www.myDomain.com I get the index.html file, and so I have been leaving the .public_html/ directory alone since it is not my root. I'm curious, what you described is exactly what I'm trying to do - what permissions do you set the parent folder at when you are finished uploading/saving/downloading/etc.? I have my uploaded_images/ directory set at chmod 0100 and I can still browse to an uploaded image from my file upload page... Thanks for your response, Andy: I ran into the same problem trying to work with, and understand, permissions on a virtual host. When I asked this gang about permissions some time back, I received answers that ranged from RTFM to calling me stupid for using 0777, but none answered my question. No fault of the gang, I probably didn't ask the question correctly. In any event, I felt too stupid to ask the question again, so I went elsewhere looking for answers and eventually found something that works for me. Some consider me a novice, so I'll ask the gang to overview my comments to make sure that I'm not guiding you down the wrong path. As you know, the key to setting the permissions of a file depends upon the permissions the parent folder. If the parent folder permission is set to 0777, then we can change any files inside the folder as we want. However, that also presents a major security hole because then anyone can use that folder to upload and run evil code. So, the key problem is how to alter parent folder permissions. With virtual hosting, we can upload, manage, and set permissions as we want via our FTP connection software. So, I thought perhaps php had something like that and as such I discovered how to ftp connect via php. Now, not all php ftp_commands are available to php 4, but you can connect to your site and change permissions of folders, which is what we actually need. So, if you want to do something with a file: then change the folder permissions of the folder that holds it; do whatever you want with the file; and then change the folder permissions back to something safe. You can also create new folders if you want using the command ftp_mkdir(). Note, the beginning of the ftp_paths are different than url paths we would normally use to locate a file. For example: An example web path: http://www.yourdomain.com/rw/tmp/text.txt An example symbolic link: public_html/rw/tmp/text.txt The following code will show you an example of how this works. Just put in your own domain, user id, password, and correct paths and try it out. Change the permissions in the code and watch how the file permissions change. Please let me know if this works for you -- watch for line breaks. hth's tedd PS: I don't know what to say about your .public_html/ directory, but I would just leave it alone. --- // how to call the function ?php $ftp_path = public_html/rw/; // note the ftp path $theDir = tmp; $theFile =text.txt; FtpPerms($ftp_path, $theDir, $theFile); ? // the function ?php // create directory and change permissions via FTP connection function FtpPerms($path, $theDir, $theFile) { $server='ftp.yourdomain.com'; // ftp server $connection = ftp_connect($server); // connection $user = you; $pass = yourpassword; $result = ftp_login($connection, $user, $pass); // login to ftp server if ((!$connection) || (!$result)) { echo(No connectionbr/); return false; exit(); } else { echo(Made connectionbr/); ftp_chdir($connection, $path); // go to destination dir echo(Change permissionbr/); $str=CHMOD 0755 . $theDir; // change permissions for dir (note the space after 0775 ) ftp_site($connection, $str); echo($strbr/); $filename = $theDir/$theFile; $contents = This is the contents of the file.; echo(hrbr/Writing file br/br/); $file = fopen( $filename, w ); fwrite( $file, $contents); fclose( $file ); chmod($filename,0755); echo(Change permissionbr/); $str=CHMOD 0600 . $theDir; // change permissions back for dir ftp_site($connection, $str); echo($strbr/);
Re: [PHP] File Upload Security and chmod
On Mon, September 25, 2006 3:58 pm, Andy Hultgren wrote: So I tried to implement the example code given in the php tmpfile() documentation and it wouldn't do anything, which suggests that I don't have access to the /tmp directory. Also, the FAQ's section on my server's website say that /tmp is not shared between the servers. So, looks like /tmp option is out... Did they perhaps give you your own tmp directory elsewhere?... Sometimes you just need to poke at it to figure out where your tmp is, and then you can use the PHP functions that let you specify your own directory, but not the ones that assume that system /tmp is your tmp My host has a tmp dir I can use, but it ain't /tmp, and PHP routinely tries to use /tmp with some functions. G. So, let me see if I understand the situation I'm looking at here: The bad side: -- I don't have any place to put uploaded files outside of my webtree, which makes it tough to ensure these files cannot be surfed to once they are uploaded, and also means I have to do my security checks while the files are within my webtree and potentially accessible. (BAD). Yes. Though if file uploads are working at all, looking at the $_FILES array may give you a clue as to a directory that you maybe *can* access which is your own private tmp... -- Any php script on my server (created by me or somehow maliciously uploaded) can do whatever it wants within my account because all php scripts run as me. (also BAD). On the plus side, some of the coding gets real simple, since you are you, and you are never somebody else. :-) The good side: -- Uploaded files can be chmod so that nobody can read them, then I chmod them when I need to use them. This adds a layer of protection for completely uploaded files. I assume this will not help with files while they are getting their security checks, since PHP has to be able to read and execute them in order to run the checks (get_image_size, etc.)? PHP needs to read them for get_image_size, but not execute. Use minimum force needed. If you are flipping the chmod around within your scripts, that reduces your risk to however long the dir remains in its 0777 (or whatever) state, which is however long your script takes to process whatever it has to process in that state. So long exhaustive checks of the validity of a file are bad because that leaves that window open longer, but they're good because the file is then more likely to be kosher. -- Since I'm only allowing image uploads, I can strictly filter which files are allowed to be uploaded (with extension checks and get_image_size). Extension check is kinda useless... I can name any file I want with .jpg and upload it. get_image_size() is good, as it checks the first N bytes -- But somebody somewhere can construct a worm with the first N bytes that LOOK like a valid image, to get_image_size() A human eyeball check would be even better, as then you *know* that a much larger number of bytes are a valid image. It could still be image+worm with the worm tacked on at the end, and a valid image at the front, which the browser would probably just go ahead and display as valid image. :-( The odds of somebody able to construct a valid-looking image whose exact byte sequence is also a worm are pretty low, but not impossible... :-) (Plus all the stuff talked about in the PHP Security Guide provided by the PHP Security Consortium for html POSTs, MySQL stuff, cookies, etc. Well, all of it that I can implement without having access to a directory outside of my webtree anyway). Be careful. It's entirely possible that *some* of the advice would put you at higher risk with your setup, if their assumption is the nobody user and a directory outside web-tree. So just because you *CAN* implement your advice in your situation, won't mean you should. You're going to have to examine every little thing on a case-by-case basis with your Security Hat on firmly -- Which means thinking If I was Evil, how would I break this? So, given this situation (if I've got it right), I have two questions: 1) With the above as is, am I just asking for anyone to come in and tear my site apart? I am not an experienced web developer (obviously), but I love to read. Is that enough to build a secure site, or am I just way in over my head? There's no such thing as a secure site... A secure site is not an off/on switch. It's more a gradient from horrible to very strong. And the act of building a Secure site is not even just a question of following all the rules in http://phpsec.org and so on. It's a thought process, a living breathing intelligent human actually *thinking* about what they are doing, and what the Risks are, and what the Benefits are, and trying to consider every possible angle of every decision. Are you building an e-commerce site, right out of the gate, on a server configured like this? Bad Idea. Are you building just a photo upload site? Probably
Re: [PHP] File Upload Security and chmod
At 9:32 PM -0600 9/24/06, Andy Hultgren wrote: Hi Tedd, Yes, when I browse to www.myDomain.com I get the index.html file, and so I have been leaving the .public_html/ directory alone since it is not my root. I'm curious, what you described is exactly what I'm trying to do - what permissions do you set the parent folder at when you are finished uploading/saving/downloading/etc.? I have my uploaded_images/ directory set at chmod 0100 and I can still browse to an uploaded image from my file upload page... Thanks for your response, Andy: I ran into the same problem trying to work with, and understand, permissions on a virtual host. When I asked this gang about permissions some time back, I received answers that ranged from RTFM to calling me stupid for using 0777, but none answered my question. No fault of the gang, I probably didn't ask the question correctly. In any event, I felt too stupid to ask the question again, so I went elsewhere looking for answers and eventually found something that works for me. Some consider me a novice, so I'll ask the gang to overview my comments to make sure that I'm not guiding you down the wrong path. As you know, the key to setting the permissions of a file depends upon the permissions the parent folder. If the parent folder permission is set to 0777, then we can change any files inside the folder as we want. However, that also presents a major security hole because then anyone can use that folder to upload and run evil code. So, the key problem is how to alter parent folder permissions. With virtual hosting, we can upload, manage, and set permissions as we want via our FTP connection software. So, I thought perhaps php had something like that and as such I discovered how to ftp connect via php. Now, not all php ftp_commands are available to php 4, but you can connect to your site and change permissions of folders, which is what we actually need. So, if you want to do something with a file: then change the folder permissions of the folder that holds it; do whatever you want with the file; and then change the folder permissions back to something safe. You can also create new folders if you want using the command ftp_mkdir(). Note, the beginning of the ftp_paths are different than url paths we would normally use to locate a file. For example: An example web path: http://www.yourdomain.com/rw/tmp/text.txt An example symbolic link: public_html/rw/tmp/text.txt The following code will show you an example of how this works. Just put in your own domain, user id, password, and correct paths and try it out. Change the permissions in the code and watch how the file permissions change. Please let me know if this works for you -- watch for line breaks. hth's tedd PS: I don't know what to say about your .public_html/ directory, but I would just leave it alone. --- // how to call the function ?php $ftp_path = public_html/rw/; // note the ftp path $theDir = tmp; $theFile =text.txt; FtpPerms($ftp_path, $theDir, $theFile); ? // the function ?php // create directory and change permissions via FTP connection function FtpPerms($path, $theDir, $theFile) { $server='ftp.yourdomain.com'; // ftp server $connection = ftp_connect($server); // connection $user = you; $pass = yourpassword; $result = ftp_login($connection, $user, $pass); // login to ftp server if ((!$connection) || (!$result)) { echo(No connectionbr/); return false; exit(); } else { echo(Made connectionbr/); ftp_chdir($connection, $path); // go to destination dir echo(Change permissionbr/); $str=CHMOD 0755 . $theDir; // change permissions for dir (note the space after 0775 ) ftp_site($connection, $str); echo($strbr/); $filename = $theDir/$theFile; $contents = This is the contents of the file.; echo(hrbr/Writing file br/br/); $file = fopen( $filename, w ); fwrite( $file, $contents); fclose( $file ); chmod($filename,0755); echo(Change permissionbr/); $str=CHMOD 0600 . $theDir; // change permissions back for dir ftp_site($connection, $str); echo($strbr/); echo(Close connectionbr/); ftp_close($connection); // close connection } } ? -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] File Upload Security and chmod
Tedd, Thanks so much your thorough response - it's good to know that I'm not the only one trying to figure this out! I'm curious, in your code you use the PHP ftp functions, but I have used the PHP functions chmod() and mkdir() without establishing an ftp connection. Is it faster to establish an ftp connection within PHP and then use the ftp series of functions to accomplish all of the directory creation and permissions changes? If so, then I will probably change my code to follow yours. Andy On 9/25/06, tedd [EMAIL PROTECTED] wrote: At 9:32 PM -0600 9/24/06, Andy Hultgren wrote: Hi Tedd, Yes, when I browse to www.myDomain.com I get the index.html file, and so I have been leaving the .public_html/ directory alone since it is not my root. I'm curious, what you described is exactly what I'm trying to do - what permissions do you set the parent folder at when you are finished uploading/saving/downloading/etc.? I have my uploaded_images/ directory set at chmod 0100 and I can still browse to an uploaded image from my file upload page... Thanks for your response, Andy: I ran into the same problem trying to work with, and understand, permissions on a virtual host. When I asked this gang about permissions some time back, I received answers that ranged from RTFM to calling me stupid for using 0777, but none answered my question. No fault of the gang, I probably didn't ask the question correctly. In any event, I felt too stupid to ask the question again, so I went elsewhere looking for answers and eventually found something that works for me. Some consider me a novice, so I'll ask the gang to overview my comments to make sure that I'm not guiding you down the wrong path. As you know, the key to setting the permissions of a file depends upon the permissions the parent folder. If the parent folder permission is set to 0777, then we can change any files inside the folder as we want. However, that also presents a major security hole because then anyone can use that folder to upload and run evil code. So, the key problem is how to alter parent folder permissions. With virtual hosting, we can upload, manage, and set permissions as we want via our FTP connection software. So, I thought perhaps php had something like that and as such I discovered how to ftp connect via php. Now, not all php ftp_commands are available to php 4, but you can connect to your site and change permissions of folders, which is what we actually need. So, if you want to do something with a file: then change the folder permissions of the folder that holds it; do whatever you want with the file; and then change the folder permissions back to something safe. You can also create new folders if you want using the command ftp_mkdir(). Note, the beginning of the ftp_paths are different than url paths we would normally use to locate a file. For example: An example web path: http://www.yourdomain.com/rw/tmp/text.txt An example symbolic link: public_html/rw/tmp/text.txt The following code will show you an example of how this works. Just put in your own domain, user id, password, and correct paths and try it out. Change the permissions in the code and watch how the file permissions change. Please let me know if this works for you -- watch for line breaks. hth's tedd PS: I don't know what to say about your .public_html/ directory, but I would just leave it alone. --- // how to call the function ?php $ftp_path = public_html/rw/; // note the ftp path $theDir = tmp; $theFile =text.txt; FtpPerms($ftp_path, $theDir, $theFile); ? // the function ?php // create directory and change permissions via FTP connection function FtpPerms($path, $theDir, $theFile) { $server='ftp.yourdomain.com'; // ftp server $connection = ftp_connect($server); // connection $user = you; $pass = yourpassword; $result = ftp_login($connection, $user, $pass); // login to ftp server if ((!$connection) || (!$result)) { echo(No connectionbr/); return false; exit(); } else { echo(Made connectionbr/); ftp_chdir($connection, $path); // go to destination dir echo(Change permissionbr/); $str=CHMOD 0755 . $theDir; // change permissions for dir (note the space after 0775 ) ftp_site($connection, $str); echo($strbr/); $filename = $theDir/$theFile; $contents = This is the contents of the file.; echo(hrbr/Writing file br/br/); $file = fopen( $filename, w ); fwrite( $file, $contents); fclose( $file ); chmod($filename,0755); echo(Change permissionbr/); $str=CHMOD 0600 . $theDir; // change permissions back for dir ftp_site($connection, $str); echo($strbr/); echo(Close connectionbr/); ftp_close($connection); // close connection } } ? -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] File Upload Security and chmod
On 9/25/06, Andy Hultgren [EMAIL PROTECTED] wrote: Tedd, Thanks so much your thorough response - it's good to know that I'm not the only one trying to figure this out! I'm curious, in your code you use the PHP ftp functions, but I have used the PHP functions chmod() and mkdir() without establishing an ftp connection. Is it faster to establish an ftp connection within PHP and then use the ftp series of functions to accomplish all of the directory creation and permissions changes? If so, then I will probably change my code to follow yours. Andy By using FTP you can specify which user account you want the connection to be established at. When running a PHP script the script will be running by the Apache server, which means it will have specific permission levels which cannot create directories or chmod unless Apache owns the parent directory. That is why Tedd went through all that trouble.
Re: [PHP] File Upload Security and chmod
Andy: It was never a question of speed for me -- it was a question of being able to change file permissions from within a php script so that I could create and write files safely. You see, I am *not* able to use chmod() within a php script at all regardless of what permissions the file and parent folder have -- even when both are set to 0777. To do any permissions changing from within a php script I am forced to resort to a ftp connection as I previously described. I can't even create a file, nor open a file for writing, without the parent folder having 0777 permissions. The only option I had was to set parent folders to 0777 and leave them that way, and I wasn't going to do that for security reasons. Now, perhaps something is wrong with my server (or me) -- but -- I have more than one server and the same tests held true for all of them. So, if you can chmod() and mkdir() from within your php script without establishing an ftp connection, then more power to you, because I can't. And that's the reason I use ftp_login. I thought that you had the same problem. Now, perhaps I should RTFM again -- but -- I have read it and I have not found another method that works to change permissions other than to use ftp_logon. I suspect that this problem may be pretty obvious to the gang, but I don't know if anyone cares to comment. Comments? tedd --- At 1:11 PM -0600 9/25/06, Andy Hultgren wrote: Tedd, Thanks so much your thorough response - it's good to know that I'm not the only one trying to figure this out! I'm curious, in your code you use the PHP ftp functions, but I have used the PHP functions chmod() and mkdir() without establishing an ftp connection. Is it faster to establish an ftp connection within PHP and then use the ftp series of functions to accomplish all of the directory creation and permissions changes? If so, then I will probably change my code to follow yours. Andy On 9/25/06, tedd mailto:[EMAIL PROTECTED][EMAIL PROTECTED] wrote: At 9:32 PM -0600 9/24/06, Andy Hultgren wrote: Hi Tedd, Yes, when I browse to http://www.myDomain.com www.myDomain.com I get the index.html file, and so I have been leaving the .public_html/ directory alone since it is not my root. I'm curious, what you described is exactly what I'm trying to do - what permissions do you set the parent folder at when you are finished uploading/saving/downloading/etc.? I have my uploaded_images/ directory set at chmod 0100 and I can still browse to an uploaded image from my file upload page... Thanks for your response, Andy: I ran into the same problem trying to work with, and understand, permissions on a virtual host. When I asked this gang about permissions some time back, I received answers that ranged from RTFM to calling me stupid for using 0777, but none answered my question. No fault of the gang, I probably didn't ask the question correctly. In any event, I felt too stupid to ask the question again, so I went elsewhere looking for answers and eventually found something that works for me. Some consider me a novice, so I'll ask the gang to overview my comments to make sure that I'm not guiding you down the wrong path. As you know, the key to setting the permissions of a file depends upon the permissions the parent folder. If the parent folder permission is set to 0777, then we can change any files inside the folder as we want. However, that also presents a major security hole because then anyone can use that folder to upload and run evil code. So, the key problem is how to alter parent folder permissions. With virtual hosting, we can upload, manage, and set permissions as we want via our FTP connection software. So, I thought perhaps php had something like that and as such I discovered how to ftp connect via php. Now, not all php ftp_commands are available to php 4, but you can connect to your site and change permissions of folders, which is what we actually need. So, if you want to do something with a file: then change the folder permissions of the folder that holds it; do whatever you want with the file; and then change the folder permissions back to something safe. You can also create new folders if you want using the command ftp_mkdir(). Note, the beginning of the ftp_paths are different than url paths we would normally use to locate a file. For example: An example web path: http://www.yourdomain.com/rw/tmp/text.txthttp://www.yourdomain.com/rw/tmp/text.txt An example symbolic link: public_html/rw/tmp/text.txt The following code will show you an example of how this works. Just put in your own domain, user id, password, and correct paths and try it out. Change the permissions in the code and watch how the file permissions change. Please let me know if this works for you -- watch for line breaks. hth's tedd PS: I don't know what to say about your .public_html/ directory, but I would just leave it alone. --- // how to call the function ?php $ftp_path =
Re: [PHP] File Upload Security and chmod
Well, that didn't sound too good... So I tried to implement the example code given in the php tmpfile() documentation and it wouldn't do anything, which suggests that I don't have access to the /tmp directory. Also, the FAQ's section on my server's website say that /tmp is not shared between the servers. So, looks like /tmp option is out... So, let me see if I understand the situation I'm looking at here: The bad side: -- I don't have any place to put uploaded files outside of my webtree, which makes it tough to ensure these files cannot be surfed to once they are uploaded, and also means I have to do my security checks while the files are within my webtree and potentially accessible. (BAD). -- Any php script on my server (created by me or somehow maliciously uploaded) can do whatever it wants within my account because all php scripts run as me. (also BAD). The good side: -- Uploaded files can be chmod so that nobody can read them, then I chmod them when I need to use them. This adds a layer of protection for completely uploaded files. I assume this will not help with files while they are getting their security checks, since PHP has to be able to read and execute them in order to run the checks (get_image_size, etc.)? -- Since I'm only allowing image uploads, I can strictly filter which files are allowed to be uploaded (with extension checks and get_image_size). (Plus all the stuff talked about in the PHP Security Guide provided by the PHP Security Consortium for html POSTs, MySQL stuff, cookies, etc. Well, all of it that I can implement without having access to a directory outside of my webtree anyway). So, given this situation (if I've got it right), I have two questions: 1) With the above as is, am I just asking for anyone to come in and tear my site apart? I am not an experienced web developer (obviously), but I love to read. Is that enough to build a secure site, or am I just way in over my head? 2) Imaging that I can convince my host to rebuild my site so that I have access to directories outside of my webtree and can check and save uploaded files there, does that make the situation substantially better? Or is the PHP running as me thing enough alone to raise some serious serious problems (perhaps less around the image uploading but more around a login page or something)? As always, thank you so much for your help. Andy On 9/25/06, Richard Lynch [EMAIL PROTECTED] wrote: On Sun, September 24, 2006 11:04 pm, Andy Hultgren wrote: I really appreciate your help with this. To answer your first question: when people surf to my site they see the stuff next to (outside) .public_html/, not anything within .public_html/. (Thanks by the way for explaining the .dirName invisibility thing, that's one confusing thing not to worry about anymore!) Hmmm. Okay, so you definitely do not have any space outside the webtree. That's bad. Anything you upload is stuck being available to the public, to some degree. :-( You *may* be able to utilize /tmp See if you can write a short little script with http://php.net/tmpfile This will give you and idea if you can stash things in /tmp, at least until you can confirm that they are not Evil. To answer your second question: the uploadedFiles/ directory is 0100, but not the file. The uploaded file itself is 0640. So your login is allowed to read files within the directory, but not to list what's in the directory. Your login and your group can read the file itself. Your login can write the file as well. See next question/answer. Third question: it runs as the same username I use to login to my server's ftp site. This information wasn't in the output of the phpinfo() function (that I could find). I did some searching on php.net and found this entry under the get_current_user() function ( http://us3.php.net/manual/en/function.get-current-user.php, top user contributed note): ** *to get the username of the process owner (rather than the file owner), you can use: **?php $processUser = posix_getpwuid(posix_geteuid**()); print $processUser['name'**]; ? * ** I used this code to find out the user PHP runs as. Is that what you were looking for? Yes. And since PHP runs as you with your login, it can do everything listed above. So you probably cannot surf to the DIRECTORY and get a listing (even if DirectoryIndex is on) but if you know the name of the file in advance, you can surf to it. So if you want to make a file not readable, you have to chmod it so that *YOU* cannot read it. This will be a PITA because then you'll need to chmod it back any time you want to mess with it. As the owner of a file, you are allowed to chmod it so that you yourself cannot read it -- kind of like locking it away in a safe -- and then you have to chmod it back to readable (open the safe) to read it. You still own the file, so you can always chmod it anywhich way you want, at any time. Running your webserver as you gives it a lot of power
Re: [PHP] File Upload Security and chmod
Hey Tedd and Eric, Between the two of you and Richard Lynch's last post, I understand why I can use chmod() and mkdir() within php without having to use the ftp commands: I run on a server that is configured to run my php scripts as username (ie. me!) instead of as nobody (which is much more common). So my php scripts have powers which they probably shouldn't have. So, Tedd, you don't have to go back to the manual it looks like you are exactly right, I'm just on a goofy server which is the exception to the rule (for better or for worse). I really appreciate you guys jumping in a giving me a hand. Hopefully I get good enough at this that I can return the favor sometime!!! Andy On 9/25/06, Eric Butera [EMAIL PROTECTED] wrote: On 9/25/06, Andy Hultgren [EMAIL PROTECTED] wrote: Tedd, Thanks so much your thorough response - it's good to know that I'm not the only one trying to figure this out! I'm curious, in your code you use the PHP ftp functions, but I have used the PHP functions chmod() and mkdir() without establishing an ftp connection. Is it faster to establish an ftp connection within PHP and then use the ftp series of functions to accomplish all of the directory creation and permissions changes? If so, then I will probably change my code to follow yours. Andy By using FTP you can specify which user account you want the connection to be established at. When running a PHP script the script will be running by the Apache server, which means it will have specific permission levels which cannot create directories or chmod unless Apache owns the parent directory. That is why Tedd went through all that trouble.
Re: [PHP] File Upload Security and chmod
Hi Tedd, Yes, when I browse to www.myDomain.com I get the index.html file, and so I have been leaving the .public_html/ directory alone since it is not my root. I'm curious, what you described is exactly what I'm trying to do - what permissions do you set the parent folder at when you are finished uploading/saving/downloading/etc.? I have my uploaded_images/ directory set at chmod 0100 and I can still browse to an uploaded image from my file upload page... Thanks for your response, Andy On 9/23/06, tedd [EMAIL PROTECTED] wrote: At 7:19 PM -0600 9/22/06, Andy Hultgren wrote: For whatever reason when I ftp in using WinFtp I don't see public_html (it's hidden, don't know why; if I make a directory called .public_html it gets created and then disappears), but I can see my file structure from my host's website and so I know that when I ftp in to myDomain.com this is what is there: index.htm page1.htm page2.htm .public_html/ images/ etc. etc. Andy: Sorry, I didn't catch all of the thread, but this is my drift. When you access your site (http://yourdomain.com) via a browser, do you see the above index.htm? If so, and you want to stay with that host, then leave the .public_html/ folder alone, and build your site using WinFTP, or whatever. If you want to change permissions for a file from within a php script, then ftp into your site (using ftp_login), change the parent folder permissions, do your file thing (upload, delete, save, etc.), and then change the parent folder permissions back and it's done. At least that's the way I do it working on a shared host and it works for me. tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com
Re: [PHP] File Upload Security and chmod
On Saturday 23 September 2006 01:27, you wrote: Hi Borge, host/users/myDomain is the actual directory (and it's the root directory), and I do not have access to higher directories. So basically I do not have access to directories higher than my root directory, which is unfortunate. Also, the way the server is setup that I am on, I do not have access to the server's tmp file (it is not shared), I have my own tmp file in my root directory that I use. I don't know of any other system-wide read/write directory available either. I'd be putting a lot of data there too (customer uploaded images) so I really should save them somewhere in my directory and not in the common server space. You can start to see my bind... :( Any thoughts greatly appreciated! Andy Sounds like cheap b-one hosting of sorts... thoughts? yes dont use it... Yer site will probably quickly become a playing ground for other than yerself. A file have to stay inside a quarantined area for a sanity check before let loose on the system. Probably the cache of the browser ... for the I can see the page stuff. dunno. But as I said: Change yer hosting, to something useable and safe. On 9/22/06, Børge Holen [EMAIL PROTECTED] wrote: On Friday 22 September 2006 22:58, Andy Hultgren wrote: Hi, I am relatively new to php and am trying to set up a file upload process for my website. I have read through the php security documentation and a number of the security-related questions on these lists and am attempting to implement as many of the measures as possible. One of the suggestions I have read is to have the uploaded files saved somewhere outside of your root directory. Unfortunately I cannot do that as my root directory is simply www.myDomain.com and not .public_html/ and I am on a shared server where my root cannot be changed (I have already asked). So, I am trying to keep the permissions on my saved_files folder as tight as possible except when the actual upload occurs. I this as follows: 1) The actual file upload comes through Flash8, and when the user uploads a file it is sent to www.domain.com/flash8directory/upload.php, which is in the same directory as the Flash8 upload application. 2) upload.php first chmod 0740 the saved_files folder (which is located at www.domain.com/flash8directory/saved_files/). Then it does security checks to make sure an appropriate image has been uploaded, and if everything looks good it moves the uploaded file to saved_files. 3) The Flash8 upload application is notified of the completion of the upload and downloads the new image it its viewer. 4) Once the download is complete and Flash8 no longer needs to work with the file, the Flash8 application notifies a separate php script by sending the variable complete=1 to lockdown.php (located at www.domain.com/flash8directory/lockdown.php), which runs the following simple script: ?php $success = 0; $complete = $_POST['complete']; if ($complete==1) { if(chmod(./saved_files, 0100)) { success = yes; echo success=yes; } } ? This script works and saved_files is set to chmod 0100, but here is the problem. If I then navigate directly to the url of the uploaded file by entering its path in my browser(www.domain.com/flash8directory/saved_files/uploadedFile.jpg), the uploaded file appears in my browser! However, if I then refresh the browser I get the desired error message saying I do not have permission to access that file. Also, other browser windows never have access to view the uploaded file, only the browser from which the file was uploaded. Any thoughts on why I can view the uploaded file even though it has been set to chmod 0100? I'd really rather not have those files accessible to anyone, as an extra security layer. Thank you for your help! Andy I don't quite understand why you cannot save to another catalog. is www.myDomain.com yer actual directory name of merely the domain? If either, login to yer domain and simply go either one step up, is that possible? You can also make use of a .htaccess file inside a sub directory to keep others from it till you have checked the file, then move it out in the open or delete after specifications. Do you have access to /tmp ? That one is possible to use, in fact any system wide directory writable by any/you is usable. -- --- Børge Kennel Arivene http://www.arivene.net --- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- --- Børge Kennel Arivene http://www.arivene.net --- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] File Upload Security and chmod
At 7:19 PM -0600 9/22/06, Andy Hultgren wrote: For whatever reason when I ftp in using WinFtp I don't see public_html (it's hidden, don't know why; if I make a directory called .public_html it gets created and then disappears), but I can see my file structure from my host's website and so I know that when I ftp in to myDomain.com this is what is there: index.htm page1.htm page2.htm .public_html/ images/ etc. etc. Andy: Sorry, I didn't catch all of the thread, but this is my drift. When you access your site (http://yourdomain.com) via a browser, do you see the above index.htm? If so, and you want to stay with that host, then leave the .public_html/ folder alone, and build your site using WinFTP, or whatever. If you want to change permissions for a file from within a php script, then ftp into your site (using ftp_login), change the parent folder permissions, do your file thing (upload, delete, save, etc.), and then change the parent folder permissions back and it's done. At least that's the way I do it working on a shared host and it works for me. tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] File Upload Security and chmod
Hi, I am relatively new to php and am trying to set up a file upload process for my website. I have read through the php security documentation and a number of the security-related questions on these lists and am attempting to implement as many of the measures as possible. One of the suggestions I have read is to have the uploaded files saved somewhere outside of your root directory. Unfortunately I cannot do that as my root directory is simply www.myDomain.com and not .public_html/ and I am on a shared server where my root cannot be changed (I have already asked). So, I am trying to keep the permissions on my saved_files folder as tight as possible except when the actual upload occurs. I this as follows: 1) The actual file upload comes through Flash8, and when the user uploads a file it is sent to www.domain.com/flash8directory/upload.php, which is in the same directory as the Flash8 upload application. 2) upload.php first chmod 0740 the saved_files folder (which is located at www.domain.com/flash8directory/saved_files/). Then it does security checks to make sure an appropriate image has been uploaded, and if everything looks good it moves the uploaded file to saved_files. 3) The Flash8 upload application is notified of the completion of the upload and downloads the new image it its viewer. 4) Once the download is complete and Flash8 no longer needs to work with the file, the Flash8 application notifies a separate php script by sending the variable complete=1 to lockdown.php (located at www.domain.com/flash8directory/lockdown.php), which runs the following simple script: ?php $success = 0; $complete = $_POST['complete']; if ($complete==1) { if(chmod(./saved_files, 0100)) { success = yes; echo success=yes; } } ? This script works and saved_files is set to chmod 0100, but here is the problem. If I then navigate directly to the url of the uploaded file by entering its path in my browser(www.domain.com/flash8directory/saved_files/uploadedFile.jpg), the uploaded file appears in my browser! However, if I then refresh the browser I get the desired error message saying I do not have permission to access that file. Also, other browser windows never have access to view the uploaded file, only the browser from which the file was uploaded. Any thoughts on why I can view the uploaded file even though it has been set to chmod 0100? I'd really rather not have those files accessible to anyone, as an extra security layer. Thank you for your help! Andy -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] File Upload Security and chmod
On Friday 22 September 2006 22:58, Andy Hultgren wrote: Hi, I am relatively new to php and am trying to set up a file upload process for my website. I have read through the php security documentation and a number of the security-related questions on these lists and am attempting to implement as many of the measures as possible. One of the suggestions I have read is to have the uploaded files saved somewhere outside of your root directory. Unfortunately I cannot do that as my root directory is simply www.myDomain.com and not .public_html/ and I am on a shared server where my root cannot be changed (I have already asked). So, I am trying to keep the permissions on my saved_files folder as tight as possible except when the actual upload occurs. I this as follows: 1) The actual file upload comes through Flash8, and when the user uploads a file it is sent to www.domain.com/flash8directory/upload.php, which is in the same directory as the Flash8 upload application. 2) upload.php first chmod 0740 the saved_files folder (which is located at www.domain.com/flash8directory/saved_files/). Then it does security checks to make sure an appropriate image has been uploaded, and if everything looks good it moves the uploaded file to saved_files. 3) The Flash8 upload application is notified of the completion of the upload and downloads the new image it its viewer. 4) Once the download is complete and Flash8 no longer needs to work with the file, the Flash8 application notifies a separate php script by sending the variable complete=1 to lockdown.php (located at www.domain.com/flash8directory/lockdown.php), which runs the following simple script: ?php $success = 0; $complete = $_POST['complete']; if ($complete==1) { if(chmod(./saved_files, 0100)) { success = yes; echo success=yes; } } ? This script works and saved_files is set to chmod 0100, but here is the problem. If I then navigate directly to the url of the uploaded file by entering its path in my browser(www.domain.com/flash8directory/saved_files/uploadedFile.jpg), the uploaded file appears in my browser! However, if I then refresh the browser I get the desired error message saying I do not have permission to access that file. Also, other browser windows never have access to view the uploaded file, only the browser from which the file was uploaded. Any thoughts on why I can view the uploaded file even though it has been set to chmod 0100? I'd really rather not have those files accessible to anyone, as an extra security layer. Thank you for your help! Andy I don't quite understand why you cannot save to another catalog. is www.myDomain.com yer actual directory name of merely the domain? If either, login to yer domain and simply go either one step up, is that possible? You can also make use of a .htaccess file inside a sub directory to keep others from it till you have checked the file, then move it out in the open or delete after specifications. Do you have access to /tmp ? That one is possible to use, in fact any system wide directory writable by any/you is usable. -- --- Børge Kennel Arivene http://www.arivene.net --- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] File Upload Security and chmod
On Fri, September 22, 2006 3:58 pm, Andy Hultgren wrote: that as my root directory is simply www.myDomain.com and not .public_html/ and I am on a shared server where my root cannot be I got two words for you: Change Hosts -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] File Upload Security and chmod
So pretty much there's nothing to be done about it? If I can get the chmod thing to make it so that you can't surf to your uploaded image afterwards and view it, I'd be happy with that solution. I'd like to stick with this host if I could. On 9/22/06, Richard Lynch [EMAIL PROTECTED] wrote: On Fri, September 22, 2006 3:58 pm, Andy Hultgren wrote: that as my root directory is simply www.myDomain.com and not .public_html/ and I am on a shared server where my root cannot be I got two words for you: Change Hosts -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] File Upload Security and chmod
I may have hit send too soon... Like, when you do FTP, do you see: index.htm page2.htm page3.htm right away? *OR*, do you see: public_html And then you do cd public_html and THEN you see the files? If you don't do cd public_html then I really don't think accepting file uploads is a Good Idea, unless you have access to /tmp or something to put the files in... If you do cd public_html then you actually HAVE space outside your webtree. Just do mkdir uploads and chmod 777 uploads *BEFORE* you do cd public_html and you'll have an uploads dir outside the webtree where you can put stuff. NOTE: Some fancy FTP tools like DreamWeaver and whatnot will convince you to put public_html into some input box somewhere, to give you the convenience of not needing to cd public_html -- which then means you never *SEE* that you have space outside your webtree... Stop doing that. An extra click or whatever to get into public_html is not that big of a deal. On Fri, September 22, 2006 7:21 pm, Andy Hultgren wrote: So pretty much there's nothing to be done about it? If I can get the chmod thing to make it so that you can't surf to your uploaded image afterwards and view it, I'd be happy with that solution. I'd like to stick with this host if I could. On 9/22/06, Richard Lynch [EMAIL PROTECTED] wrote: On Fri, September 22, 2006 3:58 pm, Andy Hultgren wrote: that as my root directory is simply www.myDomain.com and not .public_html/ and I am on a shared server where my root cannot be I got two words for you: Change Hosts -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] File Upload Security and chmod
For whatever reason when I ftp in using WinFtp I don't see public_html (it's hidden, don't know why; if I make a directory called .public_html it gets created and then disappears), but I can see my file structure from my host's website and so I know that when I ftp in to myDomain.com this is what is there: index.htm page1.htm page2.htm .public_html/ images/ etc. etc. Currently nothing is stored in my .public_html directory since it is not my root (and my website loads just fine when browsed to). I don't ftp in from DreamWeaver and it isn't an issue of going straight to public_html just to skip the cd step. public_html just isn't set up as my root directory and I have no directories accessable that are higher than my root. So, since I have no access to directories outside of my root, do you really think I should change that before allowing file uploads? (either by changing servers or just bugging my server adminstrator until he changes it). I currently check extension type and then image type using get_image_size(); and also files with image extensions are not executable on the server. However, from what I've read I understand that those steps are the minimum in terms of file upload security. Also, I'd be curious still to hear why I can browse to a file in a directory that has been set with chmod 0100. I really didn't expect that. Thanks again very much for your thoughts, Andy On 9/22/06, Richard Lynch [EMAIL PROTECTED] wrote: I may have hit send too soon... Like, when you do FTP, do you see: index.htm page2.htm page3.htm right away? *OR*, do you see: public_html And then you do cd public_html and THEN you see the files? If you don't do cd public_html then I really don't think accepting file uploads is a Good Idea, unless you have access to /tmp or something to put the files in... If you do cd public_html then you actually HAVE space outside your webtree. Just do mkdir uploads and chmod 777 uploads *BEFORE* you do cd public_html and you'll have an uploads dir outside the webtree where you can put stuff. NOTE: Some fancy FTP tools like DreamWeaver and whatnot will convince you to put public_html into some input box somewhere, to give you the convenience of not needing to cd public_html -- which then means you never *SEE* that you have space outside your webtree... Stop doing that. An extra click or whatever to get into public_html is not that big of a deal. On Fri, September 22, 2006 7:21 pm, Andy Hultgren wrote: So pretty much there's nothing to be done about it? If I can get the chmod thing to make it so that you can't surf to your uploaded image afterwards and view it, I'd be happy with that solution. I'd like to stick with this host if I could. On 9/22/06, Richard Lynch [EMAIL PROTECTED] wrote: On Fri, September 22, 2006 3:58 pm, Andy Hultgren wrote: that as my root directory is simply www.myDomain.com and not .public_html/ and I am on a shared server where my root cannot be I got two words for you: Change Hosts -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] File upload security
Hi, I have a php script which uploads file to a webserver. The idea is that anyone can upload files, but only another php script can read the files. At this moment I think someone is deleting file from my upload folder. What CHMOD settings do I need to secure this? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] File upload security
Files in web folders should usually be 755 /peter a At 2003-01-23 11:15, Marco Alting wrote: Hi, I have a php script which uploads file to a webserver. The idea is that anyone can upload files, but only another php script can read the files. At this moment I think someone is deleting file from my upload folder. What CHMOD settings do I need to secure this? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php