security risks if someone uploads a php file instead of an image

Question

Suppose that our web-hosting is linux and php is installed: 1- What could be the worst that happens when a php code can be uploaded instead of an image.

2- Can the intruder somehow retrieve my database password ? suppose that the directory on which images get stored has 777 file permissions.

3- What if when the image directory has 644 permission?

The answer to my question can be combined with the ones given to these two: Security: How to validate image file uploads? and Security issues in accepting image uploads

How do you serve your files? What names do you give to them? — zerkms, Aug 20 '12 at 22:35
I mean: what names (name and extension part) do you give the files after uploading? And how do you serve your files: by script or by webserver? — zerkms, Aug 20 '12 at 22:47

Niklas B. · Accepted Answer · 2012-08-20T23:06:01.933

What could be the worst that happens when a php code can be uploaded instead of an image.

Worst case: Intruder can execute arbitrary PHP code, maybe even arbitrary code on the server. If the attacker is clever enough while the sysadmins aren't, he might even own the whole server/subnet/network/...

Can the intruder somehow retrieve my database password ? suppose that the directory on which images get stored has 777 file permissions.

If the attacker can execute PHP code (which of course depends on your security measures), he can definitely read files from the current user, so the answer is most probably yes.

What if when the image directory has 644 permission?

Unless you use PHP in CGI mode, the execute bit shouldn't be necessary for the webserver to execute a script, so that alone doesn't help.

Of course those are not the questions you should ask. The question you should ask is how to prevent an attacker from uploading an executable PHP file in the first place. My answer to that is that you should check the file extension against a white list and drop everything else, for example:

$pattern = "/\.(jpe?g|gif|png)$/iD";
if (!preg_match($pattern, $filename))
    die("Please don't.");

score 2 · Answer 2 · answered Aug 20 '12 at 22:39

You should make sure you don't allow parsing of php files in your image directory, since I'm assuming it's going to be open to the public.

You could do this in the /images/.htaccess file with

RemoveHandler .php .phtml .php3
RemoveType .php .phtml .php3

That way if they try to go to domain.com/images/hackdatabase.php it'll just return their code and not the file.

But you should check to make sure its' an image in the first place.

security risks if someone uploads a php file instead of an image

2 Answers2