// you’re reading...

Infosecurity

Exploiting web development worst practices: file upload

By Kristóf February 1, 2010 Email This Post Email This Post Print This Post Print This Post Post a comment
Filed Under  ,

This article is part of a series that helps programmers code more secure websites.

File upload exploit

If I can upload a file to your website, like, for example, an avatar, a picture, or a document for review, do you protect your website from that file?

What happens if I upload, for example, the infamous c99.php as my avatar? Will I be able to access it something like

http://your-site/avatars/username/c99.php

Once malicious code is on the server, it can access all files that your web application accesses, the same databases, the same directories, allowing it to disrupt business, to steal sensitive data, use your server to serve viruses to other people, or set up phishing sites.

How to avoid file upload exploits?

Don’t assume that anything that comes from the user can be trusted (again).

(1) Rename all uploaded files, and store the original file name in the database. (This also allows avoiding filename clashes.)

(2/a) Put uploaded files into a directory that is unaccessible from the web server, and serve them from PHP code.
BUT: beware of URLs like download.php?file=../../../../../../etc/passwd

OR

(2/b) Use .htaccess to disable PHP execution in the directory where you put the files.
BUT: beware of file inclusion attacks.

Photo courtesy by nickwheeleroz

About the author: Kristóf Kovács is a freelance computer technology architect and project leader. You can rent his brain as your advisor, or you can hire him to help you in your projects. His ventures include a mobile entertaiment company (Mobile Planet Ltd), and a boutique software development house (Online Projects Ltd). Follow him on Twitter!

Discussion


Be the first to comment for “Exploiting web development worst practices: file upload”

Post a comment

Spam Protection by WP-SpamFree

Keep in touch!