upload security

I have a question concerning security of my file upload script. I'm using
the php upload routines (move_uploaded_file,...) and variables ($_FILES) to
upload images to a webdirectory. Everything works fine, meaning that I can
upload images BUT only if I change the permission of the directory to which
the uploaded images are moved to 777. I guess that this is not such a good
thing from security point of view. So here are some questions I have:
1) is this really that dangerous? How could this be exploited by an
attacker?
2)using chmod in my php script (to switch back and forth between 700 and
777) is not an option since I'm on a virtual host and PHP is in safe mode
3)creating a directory which is not reachable by webbrowser does not seem to
be possible either since outside my webdirectory; everything is root-owned
and obviously only my ISP has root permission ;-)
4)I know that changing to ftp functions might solve this problem but I want
to do image resize operations on the uploaded image afterwards anyway so I
would prefer solutions allowing the creation of safe directories or
something similar
5)Any hints and or tips on making safe file upload applications in php are
welcome;

"Philippe Lemmerling" <philippe.lemmerling@esat.kuleuven.ac.be> wrote in
message news:1065050202.261025@seven.kulnet.kuleuven.ac.be ...
> I have a question concerning security of my file upload script. I'm using
> the php upload routines (move_uploaded_file,...) and variables ($_FILES)
to
> upload images to a webdirectory. Everything works fine, meaning that I can
> upload images BUT only if I change the permission of the directory to
which
> the uploaded images are moved to 777. I guess that this is not such a good
> thing from security point of view. So here are some questions I have:
> 1) is this really that dangerous? How could this be exploited by an
> attacker?
> 2)using chmod in my php script (to switch back and forth between 700 and
> 777) is not an option since I'm on a virtual host and PHP is in safe mode
> 3)creating a directory which is not reachable by webbrowser does not seem
to
> be possible either since outside my webdirectory; everything is root-owned
> and obviously only my ISP has root permission ;-)
> 4)I know that changing to ftp functions might solve this problem but I
want
> to do image resize operations on the uploaded image afterwards anyway so I
> would prefer solutions allowing the creation of safe directories or
> something similar
> 5)Any hints and or tips on making safe file upload applications in php are
> welcome;

Suggestions:
Do your best to upload the files to a location outside your
$_SERVER[DOCUMENT_ROOT] (the root of your website). Why? Well if someone
was to upload their own php file within your document root directory, it
gives them access to your server (or at very least, to your web site
directory tree).

Try changing your 777 to 770 or 775 in the chmod/mkdir and then test your
upload again.

If you are forced to upload inside your document root, then limit the files
that can be uploaded (ie avoid html,exe,php,htm,js,java files) -
alternativly, have all files zipped/compressed after they've been uploaded
to reduce risks.

"Randell D." <you.can.email.me.at.randelld@yahoo.com> wrote in message
news:seLeb.2827$pl3.482@pd7tw3no...

>
> Suggestions:
> Do your best to upload the files to a location outside your
> $_SERVER[DOCUMENT_ROOT] (the root of your website). Why? Well if someone
> was to upload their own php file within your document root directory, it
> gives them access to your server (or at very least, to your web site
> directory tree).
>
> Try changing your 777 to 770 or 775 in the chmod/mkdir and then test your
> upload again.
>

Only 777 seems to work because my webtree is owned by user123 of group123
and the php uploaded files are owned by apache of group apache.
Would it be possible to use htaccess to limit eg the access by IP number
(being the IP of my virtual host then) or is this only a small protection?

> If you are forced to upload inside your document root, then limit the
files
> that can be uploaded (ie avoid html,exe,php,htm,js,java files) -

Is there a good way to check the file type; using the MIME type provided by
the client isn't really great because that can easily be faked;

> alternativly, have all files zipped/compressed after they've been uploaded
> to reduce risks.
>
>

"Philippe Lemmerling" <philippe.lemmerling@esat.kuleuven.ac.be> wrote in
message news:1065079227.580071@seven.kulnet.kuleuven.ac.be ...
>
> "Randell D." <you.can.email.me.at.randelld@yahoo.com> wrote in message
> news:seLeb.2827$pl3.482@pd7tw3no...
>
> >
> > Suggestions:
> > Do your best to upload the files to a location outside your
> > $_SERVER[DOCUMENT_ROOT] (the root of your website). Why? Well if
someone
> > was to upload their own php file within your document root directory, it
> > gives them access to your server (or at very least, to your web site
> > directory tree).
> >
> > Try changing your 777 to 770 or 775 in the chmod/mkdir and then test
your
> > upload again.
> >
>
> Only 777 seems to work because my webtree is owned by user123 of group123
> and the php uploaded files are owned by apache of group apache.
> Would it be possible to use htaccess to limit eg the access by IP number
> (being the IP of my virtual host then) or is this only a small protection?
>
> > If you are forced to upload inside your document root, then limit the
> files
> > that can be uploaded (ie avoid html,exe,php,htm,js,java files) -
>
> Is there a good way to check the file type; using the MIME type provided
by
> the client isn't really great because that can easily be faked;
>
> > alternativly, have all files zipped/compressed after they've been
uploaded
> > to reduce risks.

I can't comment on using htaccess I'm afraid as its a feature I've not
used - but it would give you some additional security.

With regards to checking the file types - You don't have to find out the
mime type - You just need to make sure that whatever is uploaded is not
confused as being a 'legal' script/page that would give the poster access to
changing any of your web pages. For example, say your files are going to
DOCUMENT_ROOT/upload and, the client uploads a file called crack.php

If crack.php were to contain some malicious code, the user only need to
visit your website using the url http://www.yourWebSite.com/upload/crack.php
for this malicious code to run. Depending on how your webserver is
configured, it will have special recognition for the "tags" or file
extension names (like ".php" or ".asp" or ".pl" or whatever). So you really
don't need to check the mime type, you just need to check the tag on a
filename (you could use something like pathinfo() to help you with this).
Hence, if possible, why I suggest you store the files outside your
DOCUMENT_ROOT - For example DOCUMENT_ROOT/../upload (note the two dots
meaning its up or behind or outside the document root directory).

On my system, I keep the file name tags/extension names in a db. Files that
are uploaded have a hashed name (using md5() ) The hash is never revealed to
the end user - since the hash is 32characters long and almost random it
would be difficult for anybody to guess the filenames (since the original
filename is now longer valid to the O/S). When ever I need to reference the
file for downloading by a user, I have it copied back to a more sensiable
name.

However you do it, be it by keeping the files outside your document_root or
by testing/changing the file names that are uploaded, you ought to do
something to prevent a user from running malicious code on your machine.