[Owasp-boston] Checking file types on upload

Kozlov, Paul paul_kozlov at harvard.edu
Thu Nov 12 10:39:10 EST 2009


On some Linux flavors you can use file command to test the file types.
It will recognize php scripts even if files do not have the right
extension. Here is a sample output I have on RHEL 4 system:

 

$ file testfile.php

testfile.php: PHP script text

$ mv  testfile.php testfile.jpg

$ file testfile.jpg

testfile.jpg: PHP script text

 

To automate that find + grep may be used as follows, and these files can
be singled out for manual examination or be deleted right away if you
wish.

 

$ find . -name '*.jpg' -exec file {} \; | grep PHP

./testfile.jpg: PHP script text

 

----------------------------------------------------

Paul Kozlov, CISSP

Operations Manager, IT Infrastructure Services

Harvard University UIS

________________________________

From: owasp-boston-bounces at lists.owasp.org
[mailto:owasp-boston-bounces at lists.owasp.org] On Behalf Of Javed Ikbal
Sent: Thursday, November 12, 2009 10:25 AM
To: owasp-boston at lists.owasp.org
Subject: Re: [Owasp-boston] Checking file types on upload

 

Yes,  "<?" may exist in an image file.

But:
Given the upload dirs may have hundreds, if not thousands of files,
finding the suspicious files would be a chore--hence my recommendation.

grep will narrow down the list of suspects very quickly for the manual
examination, or the output of the grep could be piped to the php syntax
check as you suggested.

Javed

Stephane Corlosquet wrote: 

	I guess you can run grep in the upload dirs to catch misnamed
php files
	that have already been upload, something like:
	
	grep -R "<?" *.jpg *.gif *.png


An image file could contain "<?" but that does not mean it's a PHP file.
Maybe you could run php --syntax-check on the command line to check the
syntax of a suspicious file.

Steph.

On Thu, Nov 12, 2009 at 9:57 AM, Javed Ikbal <javed at zsquad.com> wrote:

The most common (and error-prone) method is to use the $_FILES array.
The browser supplies this information to the server, and IE is notorious
for using the extension to tell the server what the filetype is.

As it uses the filename extension, it is easy to fool (or make the
mistake)

With PHP 5.3 or above, you can use fileinfo

http://www.php.net/manual/en/function.finfo-file.php

For older versions, fileinfo is a loadable module.

I guess you can run grep in the upload dirs to catch misnamed php files
that have already been upload, something like:

grep -R "<?" *.jpg *.gif *.png

Regards

Javed


Laverty, Patrick wrote:
> Sorry for all the questions lately, but I'm wondering if someone has
> come up with a reliable way to check actual file types when they get
> uploaded to a server, preferably with PHP.  We've had some issues
where
> people uploaded php files with a .jpg or .gif extension, so they
slipped
> by for a while.
>
> We are turning off php in upload directories, among other security
> steps, but I just wanted to see if I could do more than just checking
> the file extension.  Looking for that extra layer of security.
>
> Thanks!
>
> Patrick Laverty
> Brown University
> _______________________________________________
> Owasp-boston mailing list
> Owasp-boston at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-boston
>

_______________________________________________
Owasp-boston mailing list
Owasp-boston at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-boston





 



________________________________



 
_______________________________________________
Owasp-boston mailing list
Owasp-boston at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-boston
  

 

-- 

Best regards 

Javed
-------------------------------------------------------------------
Javed Ikbal, CISSP, CISM, CISA
Principal
www.zsquad.com | E: javed at zsquad.com
P: 617 780 9052 | F: 781 723 0590

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-boston/attachments/20091112/a4d5c3eb/attachment.html 


More information about the Owasp-boston mailing list