Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Re: [suse-security] HTTP File Uploads
From: Keith Roberts (listskar.eclipse.co.uk)
Date: Fri Mar 12 2004 - 03:58:47 CST
Thanks for your reply.
I have set upload_max_filesize to 1M in php.ini.
From the php manual -
Example 19-1. File Upload Form
<FORM ENCTYPE="multipart/form-data" ACTION="_URL_"
<INPUT TYPE="hidden" name="MAX_FILE_SIZE" value="1000">
Send this file: <INPUT NAME="userfile" TYPE="file">
<INPUT TYPE="submit" VALUE="Send File">
The _URL_ should point to a PHP file. The MAX_FILE_SIZE
hidden field must precede the file input field and its value
is the maximum filesize accepted. The value is in bytes.
The MAX_FILE_SIZE is advisory to the browser. It is easy to
circumvent this maximum. So don't count on it that the
browser obeys you wish! The PHP-settings for maximum-size,
however, cannot be fooled.
As upload_max_filesize cannot be fooled by an attacker, is
there any need to set the MAX_FILE_SIZE hidden field in the
form? I suppose I could write a function to check
MAX_FILE_SIZE is the value I expect it to be. If it has been
changed then terminate the php script.
My other concerns was with an attacker inserting a virus of
any sort into a jpg file. Or just calling a virus
something.jpg, and trying to upload that to my server.
Probably need to run some sort of virus check on all
uploaded jpg files, and delete anything suspicious.
Kind Regards - Keith Roberts
On Fri, 12 Mar 2004, Armin Schoech wrote:
> To: suse-securitysuse.com
> From: Armin Schoech <armin.schoechweb.de>
> Subject: Re: [suse-security] HTTP File Uploads
> > I'm working on a php script to upload user supplied jpg
> > photos to my server.
> > What are the security issues involved when allowing users to
> > upload files to my server like this?
> --> You should restrict the file size in the HTML form and
> additionally by checking the limit in the PHP script. Otherwise
> someone could crash your server by filling up your harddisk until 0
> bytes are left.
> Am Hasenberg 26 office: Institut für Atmosphärenphysik
> D-18209 Bad Doberan Schloss-Straße 6
> Tel. ++49-(0)38203/42137 D-18225 Kühlungsborn / GERMANY
> Email: schoechiap-kborn.de Tel. +49-(0)38293-68-102
> WWW: http://armins.cjb.net/ Fax. +49-(0)38293-68-50
> Check the headers for your unsubscription address
> For additional commands, e-mail: suse-security-helpsuse.com
> Security-related bug reports go to securitysuse.de, not here
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here