Member Avatar for Khav

Hi All

I have an file upload form and i secured it pretty well...One tedious problem is double extention upload.
suppose user have a file image.png
This upload fine and is fully legit.Now suppose a malicious user upload a file like image.php.png
This file can simiply be a php shell used to take control of my server and data that have been renamed to image.php.png to bypass my validation. (PHP see extension as PNG)
Once file get upload , attacker can use tamper data or Livehttp headers to resend the same file as image.php and hence sucessfully take over the server

However as a security researcher myself , i devise a method to prevent this
1.Use of algorithm to give the filename a random name on the server.This works perfect
Procedure
Use of PATHINFO_EXTENSION to detect extention of a file(its faster than other methods)
Then use algorithm to save the file with a random filename on server.

Notes:
This way the resending of info through POST method via Live http headers won't work as attacker won't know filename of image on server
image.php.png get saved as xyz127.png
The fileupload is now secure

However this cause a wastage of space as invalid files will be as xyz127.png on server.

I wanted to know you guys opinion on this and hope you have a better and more efficient method to prevent the double extension upload.Solution should be php based and not webserver based.

Greeting,
I hope it helps people

Edited by Khav because: corrected grammmer
  • 3 Contributors
  • 5 Replies
  • 4K Views
  • 11 Hours Discussion Span
  • Latest Post Latest Post by Khav

Recommended Answers

All 5 Replies

Member Avatar for GliderPilot

Just off the top of my head you could not allow any . in the file name, take the file name and explode it at all . which should give you an array of 2, of it's more than they have extra periods so deny the upload

i.e.:

$file_array = explode(".",$file_name);

if(count($file_array) !== 2)
{
  if($file_array[1] == "php")
  {
    //Attempted attack detected
  }
  else
  {
    echo "No periods allowed in filename, please try again.";
  }
}
else
{
  //All is good upload file
}

Thus if the upload image.png you'll have
file_array[0] = image
file_array[1] = png

array has 2 elements so all is good

If the upload image.php.png you'll have
file_array[0] = image
file_array[1] = php
file_array[2] = png

This has 3 elements so we've detected an extra period, and we detect that it's a php hack attempt

If the upload image.fun.png you'll have
file_array[0] = image
file_array[1] = fun
file_array[2] = png

This has 3 elements so we've detected an extra period, and we detect that it's not a php hack attempt

I'm sure there are other ways of doing it but that's how I would probably start off

Member Avatar for Khav

Its looks good but some image may have filenames like fun.car.png which is completely legit would be detected as hack attempt
Nice attempt GliderPilot......
Anyone else to attempt on this
This thread can serve as a reference for all developers and help to prevent sites from being hacked:D

Member Avatar for GliderPilot

You can do an in_array() search for unwanted extensions if you want to allow periods:

if(in_array('php',array_map('strtolower', $file_array)))

Member Avatar for Khav

@LastMitch
The solution showned there is SERVER SIde , i am searching for a php based solution
@GliderPilot
there is an unlimited number of unwanted extension , its not feasible

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.