Browse Source
port over article http://brett.is/writing/about/php-stop-malicious-image-uploads/
pull/1/head
1 changed files with 77 additions and 0 deletions
Split View
Diff Options
+ 77
- 0
contents/writing/about/php-stop-malicious-image-uploads/index.md
View File
| @ -0,0 +1,77 @@ | |||
| --- | |||
| title: PHP - Stop Malicious Image Uploads | |||
| author: Brett Langdon | |||
| date: 2012-02-01 | |||
| template: article.jade | |||
| --- | |||
| Quick and easy trick for detecting and stopping malicious image uploads to PHP. | |||
| --- | |||
| Recently I have been practicing for the upcoming NECCDC competition and have | |||
| come across a few issues that will need to be overcome, including how to stop | |||
| malicious image uploads. | |||
| I was reading | |||
| <a href="http://www.acunetix.com/websitesecurity/upload-forms-threat.htm" target="_blank">this</a> | |||
| article on | |||
| <a href="http://www.acunetix.com/" target="_blank">Acunetix.com</a> | |||
| about the threats of having upload forms in PHP. | |||
| The general idea behind this exploit for Apache and PHP is when a user can | |||
| upload an image whose content contains PHP code and the extension includes | |||
| ‘php’ for example an image ‘new-house.php.jpg’ that contains: | |||
| ``` | |||
| ... (image contents) | |||
| <?php phpinfo(); ?> | |||
| ... (image contents) | |||
| ``` | |||
| When uploaded and then viewed Apache, if improperly setup, will process the | |||
| image as PHP, because of the ‘.php’ in the extension and then when accessed | |||
| will execute malicious code on your server. | |||
| ## My Solution | |||
| I was trying to find a good way to remove this issue quickly without opening | |||
| more security holes. I have seen some solutions that use the function | |||
| <a href="http://us2.php.net/manual/en/function.getimagesize.php" target="_blank">getimagesize</a> | |||
| to try and determine if the file is an image, but if the malicious code is | |||
| injected into the middle of an actual image this function will still return | |||
| the actual image size and the file will validate as an image. The solution I | |||
| came up with is to explicitly convert each uploaded image to a jpeg using | |||
| <a href="http://us2.php.net/manual/en/function.imagecreatefromjpeg.php" target="_blank">imagecreatefromjpeg</a> | |||
| and | |||
| <a href="http://us2.php.net/manual/en/function.imagejpeg.php" target="_blank">imagejpeg</a> | |||
| functions. | |||
| ```php | |||
| <?php | |||
| $image = imagecreatefromjpeg( './new-house.php.jpeg' ); | |||
| imagejpeg( $image, './new-house.php.jpeg' ); | |||
| ``` | |||
| If the original image contains malicious code an error will be thrown and | |||
| `$image` will not contain an image. This is a way to try and sanitize the | |||
| image. This code can also be embellished where if the image is invalid then | |||
| an image is still created and uploaded. | |||
| ```php | |||
| <?php | |||
| //@ to quite the possible error from this. | |||
| $image = @imagecreatefromjpeg( './new-house.php.jpg' ); | |||
| if( !$image ): | |||
| $image = imagecreate(100,20); | |||
| $greenish = imagecolorallocate( $image, 180,200,180 ); | |||
| imagefill( $image, 0, 0, $greenish ); | |||
| $black = imagecolorallocate( $image, 0,0,0 ); | |||
| imagestring( $image, 1, 5, 5, 'No.. No..', $black ); | |||
| endif; | |||
| imagejpeg( $image, './new-house.php.jpg' ); | |||
| ``` | |||
| Enjoy. | |||