From: Keith Roberts (listskar.eclipse.co.uk)
Date: Fri Mar 12 2004 - 03:58:47 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Armin.

Thanks for your reply.

I have set upload_max_filesize to 1M in php.ini.

From the php manual -

-------------------------------------------------
QUOTE

   Example 19-1. File Upload Form
<FORM ENCTYPE="multipart/form-data" ACTION="_URL_"
      METHOD="POST">

<INPUT TYPE="hidden" name="MAX_FILE_SIZE" value="1000">

Send this file: <INPUT NAME="userfile" TYPE="file">

<INPUT TYPE="submit" VALUE="Send File">
</FORM>

The _URL_ should point to a PHP file. The MAX_FILE_SIZE
hidden field must precede the file input field and its value
is the maximum filesize accepted. The value is in bytes.

Warning

The MAX_FILE_SIZE is advisory to the browser. It is easy to
circumvent this maximum. So don't count on it that the
browser obeys you wish! The PHP-settings for maximum-size,
however, cannot be fooled.

UNQUOTE
-------------------------------------------------

As upload_max_filesize cannot be fooled by an attacker, is
there any need to set the MAX_FILE_SIZE hidden field in the
form? I suppose I could write a function to check
MAX_FILE_SIZE is the value I expect it to be. If it has been
changed then terminate the php script.

My other concerns was with an attacker inserting a virus of
any sort into a jpg file. Or just calling a virus
something.jpg, and trying to upload that to my server.

Probably need to run some sort of virus check on all
uploaded jpg files, and delete anything suspicious.

Kind Regards - Keith Roberts

On Fri, 12 Mar 2004, Armin Schoech wrote:

> To: suse-securitysuse.com
> From: Armin Schoech <armin.schoechweb.de>
> Subject: Re: [suse-security] HTTP File Uploads
>
> Hi,
>
> > I'm working on a php script to upload user supplied jpg
> > photos to my server.
> >
> > What are the security issues involved when allowing users to
> > upload files to my server like this?
> >
> --> You should restrict the file size in the HTML form and
> additionally by checking the limit in the PHP script. Otherwise
> someone could crash your server by filling up your harddisk until 0
> bytes are left.
>
> Cheers,
> Armin
>
> --
> Am Hasenberg 26 office: Institut für Atmosphärenphysik
> D-18209 Bad Doberan Schloss-Straße 6
> Tel. ++49-(0)38203/42137 D-18225 Kühlungsborn / GERMANY
> Email: schoechiap-kborn.de Tel. +49-(0)38293-68-102
> WWW: http://armins.cjb.net/ Fax. +49-(0)38293-68-50
>
> --
> Check the headers for your unsubscription address
> For additional commands, e-mail: suse-security-helpsuse.com
> Security-related bug reports go to securitysuse.de, not here
>
>

--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]