Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:3659 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 72486 invoked from network); 31 Jul 2003 14:47:04 -0000 Received: from unknown (HELO www.lerdorf.com) (66.93.78.119) by pb1.pair.com with SMTP; 31 Jul 2003 14:47:04 -0000 Received: from DELL.lerdorf.com ([10.0.1.2]) by www.lerdorf.com (8.12.9/8.12.9/Debian-5) with ESMTP id h6VEkSDE016324; Thu, 31 Jul 2003 07:46:28 -0700 Date: Thu, 31 Jul 2003 07:46:37 -0700 (Pacific Standard Time) To: skate cc: internals@lists.php.net In-Reply-To: <059101bffadb$28a33670$1400000a@fatcuban> Message-ID: References: <059101bffadb$28a33670$1400000a@fatcuban> X-X-Sender: rasmus@lerdorf.com MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Re: [PHP-DEV] upload compromises From: rasmus@lerdorf.com (Rasmus Lerdorf) There is a directive to turn off uploads altogether. I don't see us going beyond that. How are we supposed to detect executables? An executable is extremely platform-dependant. I suppose we could suck all the code from the UNIX 'file' command into PHP and try to determine a filetype from the magic byytes, but to what end? What exactly are you trying to protect against here? The uploaded file is not going to get the execute bit set unless you explicitly set it when you copy the file to its destination location in your script. The only way to upload a file and then execute it is to know a little bit about the web server and upload specific file types the web server is configured to execute. For example, uploading a .php file to a script that is dumb enough to copy this file to somewhere under the document_root would result in the ability to upload arbitrary php code on that server. Or if the server is configured to parse PHP out of all .html files, then simply uploading a .html file would do the same. On the other hand, uploading a Windows .EXE to my server isn't going to do a damn thing no matter how stupidly I treat it on my end. Likewise if you upload a FreeBSD binary, that isn't dangerous on my server. But uploading a .html or a .pl could potentially be. My point is that we have no way of knowing what is dangerous and what isn't. This is something the application developer will have to determine in his receiving script. -Rasmus On Mon, 31 Jul 2000, skate wrote: > i know i probably shouldn't be posting this in here, but i'm not sure where else to do so. so please forgive me if this is the wrong place. > > basically in PHP 5 is there going to be a php.ini directive to control uploads? so for instance an ISP can restrict uploading of certain files, or only allow others. This would obviously help greatly in protecting against upload compromises, and also against any other kind of upload attacks (DoS). I'm also wondering if there's a way to get uploading executables turned off on a default install. it seems that there is a lot of new users, or just users wanting to get started quickly that over look the upload issues. I see it quite a lot in both the PHP lists, and the security focus lists. > > PHP has recently gotten a bad name for itself with this type of compromise and it's an all too common problem that despite the warnings, still crops up regularly. making a change like this could help to not only improve security, but also the bad publicity that PHP has recieved over this. > > anyway, my 2 cents, sorry again if this is in the wrong place... > > -skate- >