Security implications of php upload system

Question

I've made a basic looking PHP file load system, so far I can upload any file type, I haven't add any parameters just yet.

But what I want to know is with the method I'm using, what steps should I take to make the system secure? Is there another, more secure way of doing things, and any guides, tips or suggestions that may help with this system?

This is my code so far:

$upload_to = "img/company_logos/";

if($_POST)
{
    if(!empty($_POST['upload']))
    {
        $upload_to = $upload_to . $_FILES['file']['name'];
        move_uploaded_file($_FILES['file']['tmp_name'], $upload_to);
        echo "Uploaded!";
    }
}

?>

<html>
<body>      
    <form method="post" enctype="multipart/form-data">

        <input type="hidden" id="upload" name="upload" value="1" />
        <input type="file" id="file" name="file" />
        <input type="submit" value="Submit" />

    </form>
</body>
</html>

One of the major things I've seen is the upload directory permissions are set to 777 this means anyone can read/write/execute this dir.

Thanks for the help.

This outlines possible vulnerabilities with any upload mechanism: https://www.owasp.org/index.php/Unrestricted_File_Upload — Ioannis Karadimas, Jul 13 '12 at 10:27

score 2 · Accepted Answer · edited May 23 '17 at 10:09

2

Check the referrer
Restrict file types
Rename files
Change permissions
Login and Moderate

http://php.about.com/od/advancedphp/qt/upload_security.htm

And see this one PHP Upload file enhance security

edited May 23 '17 at 10:09

Community

1
1

answered Jul 13 '12 at 10:23

Parker

111
3

1

1) Referrers are easily "spoofed" 2) Ensure you don't just check the file extension but the actual file contents – RobIII Jul 13 '12 at 10:23

Security implications of php upload system

1 Answers1