How can I detect if an uploaded image has malicious code and delete it from the temp folder?
code:
$_FILES['file']['tmp_name']
as far as i know there is no way to stop it hitting the /tmp folder
I read that i could use
$file_data = getimagesize($_FILES['file']['tmp_name']);
if(is_array($file_data) && strpos($file_data['mime'],'image') !== false)
{
echo "Image";
}
but how reliable is that?
Try to resize uploaded image with function imagecopyresized. If it is resized success it means that file is image. If not delete it.
It's not sufficient if you check only the filetype like that as the malicious code can be injected into jpeg header. Here are some useful references for you:
http://josephkeeler.com/2009/04/php-upload-security-the-1x1-jpeg-hack/
How to prevent every malicious file upload on my server? (check file type)?
I will post another 2 links from OWASP as I don't have enough reputation to do so.
You can also use regular expression function or grep command to check the uploaded file for certain keywords
#!/bin/bash
SEARCH_DIR="/tmp" # change this to your upload dir
PATTERNS="preg_replace\(\.\*\/e|passthru|shell_exe|my_delimdelimUploaded|myshellexec|PHPShell|FilesMan"
egrep --color -Rli --include=*.{jpg,jpeg,gif,png} "$PATTERNS" $SEARCH_DIR
Hope that the script will help to sanitize some of the malicious code, you can trigger your IP blackhole and send out alert message accordingly.
Beside, you may also turn off the executable privilege on /tmp or the upload folder using 'noexec' and 'nosuid' option in /etc/fstab (this is for FreeBSD).
This question is for about 1 year ago, but maybe still another persons have this problem, so i put a solution here, it worked for me, hope works for you too
<?php
if(isset($_POST['submit']) && !empty($_FILES['ufile']['name'])) {
$fileext = explode(".",$_FILES['ufile']['name']);
$fileext = $fileext[sizeof($fileext)-1]; // fetching extension of temp file
$filename = $_FILES['ufile']['name'];
if (strtolower($fileext) == "jpg" || strtolower($fileext) == "jpeg" || strtolower($fileext) == "gif" || strtolower($fileext) == "png") {
$f=fopen($_FILES['ufile']['tmp_name'],'r');
$content="";
echo $f;
while(!feof($f))
{
$content .= fgets($f);
}
/* Add the words(tages) or any suspect words you wanna to block uploading based on them */
$forbidden = array("html",
"php",
"form",
"script",
"java",
"div",
"table",
"span",
"tr",
"td",
"th",
"submit",
"body",
"head",
"var",
"function");
foreach($forbidden as $forbidword)
if(strpos($content, $forbidword) !== false)
die("Error: Malicious image cannot upload!");
if (move_uploaded_file($_FILES['ufile']['tmp_name'], "./".$filename)) {
echo "
The file was uploaded succesfully <br/>
Details : <br>
Link : ".$filename."<br />
File Name : ".$filename." <br>
File Size : ".($_FILES['ufile']['size']/1000)." KB <br>
File Type : ".$_FILES['ufile']['type'];
} else{
echo "An unexpected error : ".error_log();
}
} else {
echo "Only file with this extentions allow to upload :"."JPG, JPEG, GIF, PNG";
}
}
?>
<!DOCTYPE html>
<html>
<body>
<form action="" method="POST" name="addnews" enctype="multipart/form-data">
<input type="hidden" name="MAX_FILE_SIZE" value="4000000" />
<label class="title">Choose an image file:
<input type="file" name="ufile" />
</label>
<br />
<input name="submit" type="submit" value="Upload Media" />
</form>
</body>
</html>
© 2022 - 2024 — McMap. All rights reserved.
unlink()method. – Araliaceous