123
-=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- (c) WidthPadding Industries 1987 0|115|0 -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=-
Socoder -> Off Topic -> Upload Down

Mon, 11 Jun 2012, 16:19
Jayenkai
Due to MASSIVE security flaw, upload is temporarily down.. It’ll be back once I feel up to fixing it. Apologies. But thanks to DD for letting me know.

-=-=-
''Load, Next List!''
Mon, 11 Jun 2012, 16:19
shroom_monk
Once it's fixed, any chance of explaining what it was / how it worked, from an educational standpoint?

-=-=-
A mushroom a day keeps the doctor away...

Keep It Simple, Shroom!
Mon, 11 Jun 2012, 18:49
JL235
If Jay doesn't mind, then I'd be happy to explain.
Mon, 11 Jun 2012, 19:24
JL235
I've also just PM'd Jay a simple fix for the problem, which should solve it. Once you know, it's pretty easy to implement.
Tue, 12 Jun 2012, 06:49
Jayenkai
Yeah, go ahead and explain it, DD. It's another of those "why the hell would they make it do that?" Server issues that don't seem obvious.

-=-=-
''Load, Next List!''
Tue, 12 Jun 2012, 12:28
Stealth
File uploaders are scary. You never know what flaw someone can find and exploit.

-=-=-
Quit posting and try Google.
Tue, 12 Jun 2012, 15:37
JL235
It relates to how Apache handlers work. If you have a file called 'index.php', it will run it as a PHP script, because of the extension. In the early days of the web, it made sense to have multiple extensions. For example 'index.html.en' could be the English version of a HTML file, and so should be served as a HTML file. This is intended behaviour, and so not a bug. This means you can have multiple file extensions.

What I did on SoCoder, was I uploaded a file called 'test.php.zip'. It then ran the PHP handler, because of the .php extension, and so allowed me to execute arbituary PHP on the server.

We could just grep for .php, however what if I want to zip up a php file, and then upload it? 'test.php.zip' is a perfectly legitimate name for a .zip file. Plus checking the file extension is a really flakey way of validating a file. If you want to allow only .png files, then open it up and have a look if it's a .png. Never rely on the file extension!

So a better way to solve this is to place all uploads inside a sub-folder, and at the root, add a .htaccess file which turns off serving HTML and PHP from that folder. Such as:



You need to turn off html too, so it's served as a plain text file, instead of a page on that website. This is so people can't inject script tags, and get access to your session cookie, or navigate the site as you (which you can with JS).

I did some testing on local environment. There 'test.php.zip' is served as a zip file, but 'test.php.foo' is served as HTML. I am able to serve HTML files without a HTML extension at the end, but cannot do this with PHP. So I'm guessing that either SoCoder is setup incorrectly, or that it's running on an older version of Apache and PHP, and this behaviour has changed. However that is a total guess.

In short: always .htaccess off upload areas!
Tue, 12 Jun 2012, 16:06
shroom_monk
If you use HTML file inputs with PHP, are they uploaded to a temporary folder and deleted when the script finishes, or do they remain? I assume that doesn't suffer from the same issue, or does it?

-=-=-
A mushroom a day keeps the doctor away...

Keep It Simple, Shroom!
Tue, 12 Jun 2012, 16:16
HoboBen
Wow. I'm surprised in the case of ".php.zip" later handlers (e.g. .zip) don't (always) take priority over earlier handlers.

You'd expect ".zip" to be detected, and served with a header identifying it as binary, just like you'd expect ".html" to be sent with a "text/html" header. It means even a white-listed set of extensions are vulnerable.

If you want to make this foolproof though, do the disabling in httpd.conf and disallow overrides for the directory (bonus -- you can use regex and be protected if a future version of php comes out with .php6 or something). Drawback is "foo.php.zip" no longer becomes a valid file.

This should really be highlighted in PHP's file uploading documentation.

In any case, thanks! I learnt something new!


-=-=-
blog | work | code | more code
Tue, 12 Jun 2012, 16:49
JL235
That is what I was thinking Ben. Maybe it just ran the handlers in the order they were defined in older Apache, but newer Apache runs them based on right to left in the filename.

The other advantage of using htaccess to corner off a section is that it allows uploading html and php files, such as 'index.php', and they get served as pure text. For a generic upload manager, like what we have on SoCoder, this is handy.`