Begging to get hacked while handling files with PHP

It truly doesn’t take much for a software developer to get owned. Anyway, a loooog time ago I was watching (yes, watching) a class on PHP, they were being taught on how to handle files using HTML forms and PHP code. I noticed a problem though. I thought a few, it gets¬†they are WAY more, are the people who mishandle files. Anyway, how to get from a simple mishandling to get your ass owned.

The concept
 User A wants to upload a file to a server. Server accepts the files, checks for certain criteria, if we find a match file is accepted. RIGHT? WROONG, this is how it should work, not how it works.

The problem

There is a variety of ways to build those criteria. You can check for extensions (for example .jpg only) or for mime-types (image/jpeg only). What’s the problem with that?

The first problem is about changing mime-type. This kind of information comes client-side. Apache, or whatever software you are using does not check whether this file is or is not a JPEG image. When the user chooses the desired file to upload, browser generates automatically the mime-type. The problem is that the attacker can change it moments before he sends the HTTP header. Assume that you allow someone to upload only jpg files (mime-type:image/jpeg). I decide that I want to own your box. I choose a PHP backdoor, change the mime-type, file gets online. This is the simple scenario.
Not to mention the 1×1 jpg hack.
Also, even if he checks, there is always the good old Null Byte Poison Attack under certain circumstances etc.

The workaround

Force an extension. If it says JPG then
thisisamaliciousfile.JPG. Simple?

Stop using multiple ifs and begging to get your ass owned.
Imagine something simple. You never get owned but… Your server is used as a store all shells and you are getting complaints about allowing shells to be stored there. Not cool.

Leave a Reply

Your email address will not be published. Required fields are marked *