0
<?php

    if($_POST){

        $imagentipo=$_FILES['imagen']['type'];
        $check=array("image/gif","image/jpeg","image/png");

        if(in_array($imagentipo,$check)){
            $imagen=$_FILES['imagen']['name'];
            $temp=$_FILES['imagen']['tmp_name'];
            move_uploaded_file($temp,$imagen);
        }
    }
?>
<html>
<body>
    <form action=test.php method=post enctype=multipart/form-data>
        <img src="<?php echo $imagen ?>" width=50 height=50><br>
        <input type=file name=imagen accept="image/*"><br>
        <input type=submit name=lol>
    </form>
</body>
</html>

This code only allows .jpg .gif .png files to be uploaded; however, that can be bypassed with tamper data. Any ways to prevent this?

Brian Tompsett - 汤莱恩
  • 5,753
  • 72
  • 57
  • 129
Miqe EqiM
  • 17
  • 3
  • Do you want to try to detect invalid uploads, sanitize all uploads, or a combination of both? (Sanitizing is often easier/quicker than detecting.) – Malcolm Diggs Jul 05 '13 at 01:36
  • In order to be vulnerable to LFI (Local File Inclusion), you'd need to be including a file in your script (as the name alludes to). – nickb Jul 05 '13 at 01:41
  • @nickb: that's not correct. If you are able to read e.g. /etc/passwd it is still a file inclusion even if it is not executed. – Chris Jul 05 '13 at 05:19
  • @Chris - And where do you see, anywhere in this script, a local file that was specified by the user being read? – nickb Jul 05 '13 at 06:30

1 Answers1

1

Move uploaded files outside the web root and use functions from an image manipulation library to check if the uploaded file is indeed an image. Like Imagick:

try{
  $image = new Imagick($filePath);
}catch(Exception $e){
  // fail
}

If you don't have Imagick:

if(getimagesize($filePath) === false){
  // fail...
}
nice ass
  • 16,471
  • 7
  • 50
  • 89