[Owasp-boston] Checking file types on upload

Javed Ikbal javed at zsquad.com
Thu Nov 12 10:25:00 EST 2009


Yes,  "<?" may exist in an image file.

But:
Given the upload dirs may have hundreds, if not thousands of files,
finding the suspicious files would be a chore--hence my recommendation.

grep will narrow down the list of suspects very quickly for the manual
examination, or the output of the grep could be piped to the php syntax
check as you suggested.

Javed

Stephane Corlosquet wrote:
>
>     I guess you can run grep in the upload dirs to catch misnamed php
>     files
>     that have already been upload, something like:
>
>     grep -R "<?" *.jpg *.gif *.png
>
>
> An image file could contain "<?" but that does not mean it's a PHP
> file. Maybe you could run php --syntax-check on the command line to
> check the syntax of a suspicious file.
>
> Steph.
>
> On Thu, Nov 12, 2009 at 9:57 AM, Javed Ikbal <javed at zsquad.com
> <mailto:javed at zsquad.com>> wrote:
>
>     The most common (and error-prone) method is to use the $_FILES array.
>     The browser supplies this information to the server, and IE is
>     notorious
>     for using the extension to tell the server what the filetype is.
>
>     As it uses the filename extension, it is easy to fool (or make the
>     mistake)
>
>     With PHP 5.3 or above, you can use fileinfo
>
>     http://www.php.net/manual/en/function.finfo-file.php
>
>     For older versions, fileinfo is a loadable module.
>
>     I guess you can run grep in the upload dirs to catch misnamed php
>     files
>     that have already been upload, something like:
>
>     grep -R "<?" *.jpg *.gif *.png
>
>     Regards
>
>     Javed
>
>     Laverty, Patrick wrote:
>     > Sorry for all the questions lately, but I'm wondering if someone has
>     > come up with a reliable way to check actual file types when they get
>     > uploaded to a server, preferably with PHP.  We've had some
>     issues where
>     > people uploaded php files with a .jpg or .gif extension, so they
>     slipped
>     > by for a while.
>     >
>     > We are turning off php in upload directories, among other security
>     > steps, but I just wanted to see if I could do more than just
>     checking
>     > the file extension.  Looking for that extra layer of security.
>     >
>     > Thanks!
>     >
>     > Patrick Laverty
>     > Brown University
>     > _______________________________________________
>     > Owasp-boston mailing list
>     > Owasp-boston at lists.owasp.org <mailto:Owasp-boston at lists.owasp.org>
>     > https://lists.owasp.org/mailman/listinfo/owasp-boston
>     >
>
>     _______________________________________________
>     Owasp-boston mailing list
>     Owasp-boston at lists.owasp.org <mailto:Owasp-boston at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-boston
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Owasp-boston mailing list
> Owasp-boston at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-boston
>   

-- 

Best regards

Javed
-------------------------------------------------------------------
Javed Ikbal, CISSP, CISM, CISA
Principal
www.zsquad.com | E: javed at zsquad.com
P: 617 780 9052 | F: 781 723 0590
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-boston/attachments/20091112/2d39f53a/attachment-0001.html 


More information about the Owasp-boston mailing list