Upload Down/Forum (SoCoder)

Forum Home

Off Topic

Upload Down

User

Message

Posted : Monday, 11 June 2012, 15:19 | Permalink | Mark Here

Jayenkai

WW Entries : 103

Due to MASSIVE security flaw, upload is temporarily down.. It’ll be back once I feel up to fixing it. Apologies. But thanks to DD for letting me know. -----

Posted : Monday, 11 June 2012, 15:19 | Permalink | Mark Here

shroom_monk

WW Entries : 8

Once it's fixed, any chance of explaining what it was / how it worked, from an educational standpoint? ----- A mushroom a day keeps the doctor away... Keep It Simple, Shroom!

Posted : Monday, 11 June 2012, 17:49 | Permalink | Mark Here

JL235

WW Entries : 7

If Jay doesn't mind, then I'd be happy to explain. ----- PlayMyCode.com - build and play in your browser, Blog, Twitter.

Posted : Monday, 11 June 2012, 18:24 | Permalink | Mark Here

JL235

WW Entries : 7

I've also just PM'd Jay a simple fix for the problem, which should solve it. Once you know, it's pretty easy to implement. ----- PlayMyCode.com - build and play in your browser, Blog, Twitter.

Posted : Tuesday, 12 June 2012, 05:49 | Permalink | Mark Here

Jayenkai

WW Entries : 103

Yeah, go ahead and explain it, DD. It's another of those "why the hell would they make it do that?" Server issues that don't seem obvious. -----

Posted : Tuesday, 12 June 2012, 11:28 | Permalink | Mark Here

Stealth

File uploaders are scary. You never know what flaw someone can find and exploit. ----- Andrew // stealth "Some people see things as they are and say why? I dream things that never were and say why not?" - Robert Kennedy

Posted : Tuesday, 12 June 2012, 14:37 | Permalink | Mark Here

JL235

WW Entries : 7

It relates to how Apache handlers work. If you have a file called 'index.php', it will run it as a PHP script, because of the extension. In the early days of the web, it made sense to have multiple extensions. For example 'index.html.en' could be the English version of a HTML file, and so should be served as a HTML file. This is intended behaviour, and so not a bug. This means you can have multiple file extensions.

What I did on SoCoder, was I uploaded a file called 'test.php.zip'. It then ran the PHP handler, because of the .php extension, and so allowed me to execute arbituary PHP on the server.

We could just grep for .php, however what if I want to zip up a php file, and then upload it? 'test.php.zip' is a perfectly legitimate name for a .zip file. Plus checking the file extension is a really flakey way of validating a file. If you want to allow only .png files, then open it up and have a look if it's a .png. Never rely on the file extension!

So a better way to solve this is to place all uploads inside a sub-folder, and at the root, add a .htaccess file which turns off serving HTML and PHP from that folder. Such as:

RemoveHandler .php .phtml .php3 .php4 .php5 .phps .html .htm .xhtml .xht .xml
RemoveType .php .phtml .php3 .php4 .php5 .phps .html .htm .xhtml .xht .xml
php_flag engine off

-->

You need to turn off html too, so it's served as a plain text file, instead of a page on that website. This is so people can't inject script tags, and get access to your session cookie, or navigate the site as you (which you can with JS).

I did some testing on local environment. There 'test.php.zip' is served as a zip file, but 'test.php.foo' is served as HTML. I am able to serve HTML files without a HTML extension at the end, but cannot do this with PHP. So I'm guessing that either SoCoder is setup incorrectly, or that it's running on an older version of Apache and PHP, and this behaviour has changed. However that is a total guess.

In short: always .htaccess off upload areas!

-----
PlayMyCode.com - build and play in your browser, Blog, Twitter.

Posted : Tuesday, 12 June 2012, 15:06 | Permalink | Mark Here

shroom_monk

WW Entries : 8

If you use HTML file inputs with PHP, are they uploaded to a temporary folder and deleted when the script finishes, or do they remain? I assume that doesn't suffer from the same issue, or does it? ----- A mushroom a day keeps the doctor away... Keep It Simple, Shroom!

Posted : Tuesday, 12 June 2012, 15:16 | Permalink | Mark Here

HoboBen

WW Entries : 9

Wow. I'm surprised in the case of ".php.zip" later handlers (e.g. .zip) don't (always) take priority over earlier handlers.

You'd expect ".zip" to be detected, and served with a header identifying it as binary, just like you'd expect ".html" to be sent with a "text/html" header. It means even a white-listed set of extensions are vulnerable.

If you want to make this foolproof though, do the disabling in httpd.conf and disallow overrides for the directory (bonus -- you can use regex and be protected if a future version of php comes out with .php6 or something). Drawback is "foo.php.zip" no longer becomes a valid file.

This should really be highlighted in PHP's file uploading documentation.

In any case, thanks! I learnt something new!

-----

github

Posted : Tuesday, 12 June 2012, 15:49 | Permalink | Mark Here

JL235

WW Entries : 7

That is what I was thinking Ben. Maybe it just ran the handlers in the order they were defined in older Apache, but newer Apache runs them based on right to left in the filename.

The other advantage of using htaccess to corner off a section is that it allows uploading html and php files, such as 'index.php', and they get served as pure text. For a generic upload manager, like what we have on SoCoder, this is handy.`

-----
PlayMyCode.com - build and play in your browser, Blog, Twitter.