Security should always be on the mind of any developer of web technologies, but sadly in todays rush toward rapid application development and fast approaching deadlines, security takes a backseat sometimes. Here at CIAS we need to walk the thin line between a locked down and secure web environment, and an open and available environment which allows Students, Faculty and Staff the ability to freely explore all aspects of web programming.

We have had a few incidents involving unsecured uploads scripts on the cias.rit.edu student web server, so we need to start taking a harder look at security. These incidents have involved both spam, and hacking attempts.

There are two ways I can look at the security of the cias.rit.edu web applications.

  1. I can lock down apache and php and make it nearly impossible for hacking attempts, at the expense of your ability to create flexible web applications.
  2. I allow the responsibility to come down to the individual account owners to secure their applications and keep security of the server as their primary priority.

I would much rather latter option, the first option creates an environment that is very much limiting and locked down.

With that said, what can you as a developer do to help secure our environment in your file upload scripts??

Here are some simple steps you can take in your scripts:

  • Check the referrer of the form submission: make sure the information being sent from your script actually come from your script, not being faked from an outside source
  • Restrict file types: This is the most important step you can do to secure your file upload scripts. if you are only expecting jpg images, make sure the file being uploaded has the .jpg and/or .jpeg extension. Note to watch out for double extensions (i.e. image.jpg.php )
  • Rename the file being uploaded: If the image comes in as MyCutePuppy.jpg, rename it to something like timestamp_MyCutePuppy.jpg, or even better yet, if you are keeping your images in a database, you can easily track the names of your files if you rename them to something completely random, such as a timestamp or md5 checksum
  • Permissions: 777 is not a good idea for your unless you REALLY need it. The best idea is at least 644 ( Owner can read/write/, everyone else can only read) This is a perfect for image uploads, if you are doing things in your web app such as deleting images, you may need to loosen up your permissions, but make sure you don’t just blanket 777 everything, as this ‘is a bad idea’
  • You will need your upload directory to be 777, but all the files in it should be 644
  • Make your users login, or at least give some information that you can use to track them down. Actions like this will deter users (or bots) from doing ‘bad’ things

Ok, so with these nice little tips, how can we create a nice easy php upload script that won’t allow the server to be owned?

Well, to understand that, I think we need to understand how an unsecured upload script can be exploited, here is a great example, and exactly how we’ve been attacked before.

  1. Hacker finds an unsecured upload script
  2. Hacker uploads a .php file
  3. Hacker then finds his .php that was uploaded to the server, not renamed and with 777 permissions. By just visiting this PHP script in his web browser the attack has started
  4. That PHP scripts then proceeds to download from the internet binaries and other php scripts that can be used to gain a command line on the machine
  5. The hacker now has the run of the server as the user www-data who runs the apache server. This is a bad situation, this has now put every account on the web server at risk, because the www-data user has permissions to everyone’s directory.
  6. The hacker at this point can either launch attacks on other servers, using our good name as a proxy, or can continue to exploit our server and install software that gives the hacker a backdoor.

As you can see, this ‘is a bad thing’

So how do we stop this from happening?!

The following script gives you everything you need! (Read the comments to understand what everything does)
The sample script implements many of the points i talked about earlier in this post, ejoy

You can try out the script, and see the source at: http://bjcpgd.cias.rit.edu/upload.php

 

 

[php]

CIAS Secure PHP File Upload Example


Send this file:


\n”;
echo “View file: here“;
echo “

";
                print_r($uploadfileinfo);
                echo "

“;
} else {
#This else statement really just means, something happened in your upload and you got an error
echo “Possible file upload attack!\n”;
}

} else {
#This is where you would handle your ‘not allowed’ extentions.
echo “The file: “. $uploadfileinfo[‘basename’] .” is not an allowed file type”;
}
}
}
?>
[/php]

Leave a Reply