Hacker attack. What do they want?

On Feb 25, 2:19 pm, Toby A Inkster <usenet200...@tobyinkster.co.uk>
wrote:
> Gordon wrote:
> > * Does your script check the MIME type of the uploaded file? The
> > $_FILES superglobal contains a mime element you can check. If this
> > isn't 'image/jped' or 'image/pjpeg' then reject the upload and delete it
> > from your temp directory.
>
> This is virtually worthless from a security point of view. The MIME type
> is reported by the client's browser, so cannot be relied upon.
>
> A better test would be to check that the the file's contents seemed to be
> a valid JPEG. One way of doing this would be to read the file into a
> string (or to save memory, just the first few bytes) and check that bytes
> 7 to 10 match the string "JFIF".
>
> Better still, use GD or similar to open the file and check it's a valid
> image.
>
> --
> Toby A Inkster BSc (Hons) ARCS
> [Geek of HTML/SQL/Perl/PHP/Python/Apache/Linux]
> [OS: Linux 2.6.17.14-mm-desktop-9mdvsmp, up 26 days, 20:32.]
>
> Bottled Water
> http://tobyinkster.co.uk/blog/2008/02/18/bottled-water/

You're right, but I think if you're going to do that then GD is the
way to do it. There's nothing stopping somebody from making the first
line of a malicious file a comment that contains the JPEG magic
string.

Fro a écrit :
> Hi,
>
> my site allows to upload images. For that reasons I have created a
> directory which have "drwxrwxrwx"-permission. I.e. everybody can write
> in that directory. .......
>
For such use,you have to give 222 permission: everybody can write,
without read, without exec!!!

Gordon wrote:

> You're right, but I think if you're going to do that then GD is the way
> to do it. There's nothing stopping somebody from making the first line
> of a malicious file a comment that contains the JPEG magic string.

True, but if they don't know *how* you're checking that the file is a JPEG
(i.e. /^.{6}JFIF/) then they might not think to forge those bytes. You
could be doubly-sure by checking for:

if ( preg_match('/^.{6}JFIF/', $firstfewbytes)
&& (!preg_match('/^(.ELF|\#\!)/', $firstfewbytes))
{
// file is safe
}

--
Toby A Inkster BSc (Hons) ARCS
[Geek of HTML/SQL/Perl/PHP/Python/Apache/Linux]
[OS: Linux 2.6.17.14-mm-desktop-9mdvsmp, up 27 days, 17:47.]

Bottled Water
http://tobyinkster.co.uk/blog/2008/02/18/bottled-water/

I would suggest building a more robust interface - use something like
http://www.digitalgemstones.com/script/ImgUploader.php to make
uploading files easy and secure, then build your own interface - it
doesn't have to be much more complex than the natural one Apache
servers up - but if you built it, you can control it.

The problem with opening up security holes like that is, you're going
to be very hard pressed to ensure that you've covered all your bases
as far as only allowing valid access - much better, even if it's more
work in the short term, to build it yourself.