timosupremo
commented
11 years ago Two things...
1) @szajbus, great plugin overall! I appreciate its simplicity compared to other ones out there as I only needed something lightweight. When I get the free time, I'd love to make a pull request and try to fix the vulnerability and enhance the security of the plugin. My intent at this time was to simply disclose the vulnerability so that people are aware of it.
2) @robertofrega, perhaps you should think before you talk in the future. There's enough information in my reply to understand the nature of the vulnerability. If I had the time to point out the lines of code that caused it, well, at that point I'd fix it myself. Also, it's an actual vulnerability in the code -- not some frilly feature request because I'm too lazy to implement it myself. Anyone actively using this plugin can have their web server compromised because of this issue. If you don't understand the seriousness of this, please point me to the URL of your web server and I'll have it pwned in 5 minutes. Finally, if you don't know what a MIME type or file extension is, or you don't have an understanding as to how to securely implement a file upload system, then it would behoove you to not make unintelligible comments lest your intention is to prove yourself a fool.
szajbus
Your script is vulnerable to an arbitrary file upload attack. A malicious user can get around the MIME type check simply by spoofing the MIME type in the POST data. This is further compounded as you do not check the file extension properly. Thus, an attacker can upload a .php script (or really, anything) to the web server so long as the MIME type meets the validation requirements.