Security

[holmesy]

Hi there, We have a large client whom use this script to upload images cross domain. It has been brought to our attention that the script has a security flaw in which someone can attack it by sending a php script and causing harm to the server. The script we are using is an old version dating back to mid last year. Are you aware of this script having possible security holes? Would updating the php uploader script fix any security issues in where someone could possible attack it with some other script? A response to this would be greatly appreciated. I am happy to send you any more information on this if that helps.

Regards matt

[katanacrimson]

Some things you can do to plug those sorts of holes:

• check file metadata, verify mimetype and possibly run uploaded images against GD/Imagemagick/someotherimagelibrary - a quick solution to handle this would be to leverage Imagine (requires php5.3)
• do not allow PHP file execution on the directory/virtualhost that contains uploaded files at all - and possibly pipe all uploads through a PHP script which just reads the file and echos it to the user. this prevents anything from being executed server-side, but adds some minor overhead.
• if using nginx, see the nginx pitfalls page for properly configuring php and nginx: http://wiki.nginx.org/Pitfalls#Passing_Uncontrolled_Requests_to_PHP

[holmesy]

Hi Damian,

Thank you for your response.

Your second point how would you go about that?

Regards Matt

On 15/04/2012, at 11:44 PM, Damian Bushong wrote:

Some things you can do to plug those sorts of holes:

• check file metadata, verify mimetype and possibly run uploaded images against GD/Imagemagick/someotherimagelibrary - a quick solution to handle this would be to leverage Imagine (requires php5.3)
• do not allow PHP file execution on the directory/virtualhost that contains uploaded files at all - and possibly pipe all uploads through a PHP script which just reads the file and echos it to the user. this prevents anything from being executed server-side, but adds some minor overhead.
• if using nginx, see the nginx pitfalls page for properly configuring php and nginx: http://wiki.nginx.org/Pitfalls#Passing_Uncontrolled_Requests_to_PHP

---

Reply to this email directly or view it on GitHub: https://github.com/blueimp/jQuery-File-Upload/issues/1197#issuecomment-5139287

Matt Holmes Lead Multimedia Developer

76-78 Balmain St Richmond, 3121 Victoria, Australia

P: +61 3 9274 3600 F: +61 3 9274 3610 studiomoso.com.au

[katanacrimson]

Your best bet would be to do something similar to what phpBB3 does with their file upload handling.

You can get a rough idea from how the source code reads for download/file.php: https://github.com/phpbb/phpbb3/blob/develop-olympus/phpBB/download/file.php

It would be far easier to rely on Imagine, tbh.

[blueimp]

The jQuery File Upload plugin - as the name implies - focuses on improving the client-side file upload experience. The server-side implementations are intended mainly for demonstration purposes.

However, since I'm aware that many users make use of the provided scripts as complete upload solution, I've made sure that the default installations don't allow to run arbitrary scripts in the context of the web application.

For example, since I've added a more advanced example code one year ago, I've also added a .htaccess file with directives for Apache to prevent execution of arbitrary files: https://github.com/blueimp/jQuery-File-Upload/commit/13931c7e4f7113c7b6832fe6d9abe0edf627ab3d#diff-1

However, there was actually a security hole which has been fixed 9 months ago, which allowed to overwrite the .htaccess file and thus rendering the aforementioned directive useless: https://github.com/blueimp/jQuery-File-Upload/commit/0432be36354d0996853f0e4986cbb67cf8ebf8c5

With the current versions, I'm not aware of any security holes in any of the provided server-side implementations.
In any way I would recommend you to stay up to date with the latest version, as I don't provide support or fixes for any older versions.

In addition to implementing @damianb's recommendations, I would suggest you read the information provided here in the Wiki: https://github.com/blueimp/jQuery-File-Upload/wiki/Security

[katanacrimson]

@blueimp should note it's a bad idea to rely upon file extension for upload security. alternative httpd's (and some poor configurations) will sometimes allow uploads to be accessed under improper conditions.

example:

• upload is named abcde123.png - contains a php file simply renamed with a new extension
• file's uploaded to the server under a predictable naming scheme
• attacker accesses server.tld/path/to/uploads/abcde123.png.php and the php script is exec'd

Possible solutions include, for images only, running it past gd/whatever. Outside of that, like i told him, piping things through a script helps prevent an issue like that.

On upload however, there is the fileinfo class, which made php core in 5.3

http://us.php.net/manual/en/ref.fileinfo.php

with it, you could check file mimetype, which would be a better solution than simply checking file extension data.

[blueimp]

There is no inherent problem with using the file extension to detect media types, as this is what Apache uses to define which interpreter to run the file through and which content-type headers to serve the file with.

Interestingly, many media type detection libraries do nothing else than a map from file extension to content type.

Important is to make sure that the application which defines which files to interpret and what content-type header to send uses the same detection mechanism as your security restriction mechanism.