0

Starting a few days ago, I've noticed that my website is taking too much time to upload POST forms.

And after investigating a little, I've found in my server error logs an attempt to upload malware:

ModSecurity: Rule processing failed (msg=Attempt to upload malware)

I don't know if this issue could be caused by a virus on my computer, or maybe I have another thought about this:

This happens only in forms which have an "Image upload" input...

Maybe the problem could be because the file names with special characters such as "", ñ, '' and others....

This is the script that I use to upload images to my website:

if ($_FILES["image"]["error"] > 0){

    $image_name = "0";

} else {
    //ahora vamos a verificar si el tipo de archivo es un tipo de imagen permitido.
    //y que el tamano del archivo no exceda los 100kb
    $permitidos = array("image/jpg", "image/jpeg", "image/gif", "image/png");
    $limite_kb = 5000;
    $date= date("YmdHis");

    if (in_array($_FILES['image']['type'], $permitidos) && $_FILES['image']['size'] <= $limite_kb * 1024){
        //esta es la ruta donde copiaremos la imagen
        //recuerden que deben crear un directorio con este mismo nombre
        //en el mismo lugar donde se encuentra el archivo subir.php
        $ruta = "../post/clan/" .$sessionid.'-'.$date.$_FILES['image']['name'];
        //comprobamos si este archivo existe para no volverlo a copiar.
        //pero si quieren pueden obviar esto si no es necesario.
        //o pueden darle otro nombre para que no sobreescriba el actual.
        if (!file_exists($ruta)){
            //aqui movemos el archivo desde la ruta temporal a nuestra ruta
            //usamos la variable $resultado para almacenar el resultado del proceso de mover el archivo
            //almacenara true o false
            $resultado = @move_uploaded_file($_FILES["image"]["tmp_name"], $ruta);
            if ($resultado){
                $image_name = $sessionid.'-'.$date.$_FILES['image']['name'];
                //'$nombre'
 
            $query = "UPDATE clans SET image='$image_name' WHERE id='$clanid' AND user='$sessionid'";
            $result = $mysqli->query($query);

            
            } else {
                echo "ocurrio un error al mover el archivo.";
            }
        } else {
            echo $_FILES['image']['name'] . ", este archivo existe";
        }
    } else {
        echo "archivo no permitido, es tipo de archivo prohibido o excede el tamano de $limite_kb Kilobytes";
    }
}

How can I convert file names to remove special characters and blank spaces?

Jason Aller
  • 3,541
  • 28
  • 38
  • 38
Guillermo Esquivel Obregon
  • 15
  • 7

1 Answers1

0

here: How to remove non-alphanumeric characters? is an article on how to remove alphanumeric characters. In order to save the file, run the code given there on $_FILES['image']['name'] like this:

$name = preg_replace("/[^A-Za-z0-9 ]/", '', $_FILES['image']['name']);

this should fix your problem unless the issue is experienced earlier in the flow, ie if data isn't posted to the script, but blocked before it can get there due to the ModSecurity rule in which case that is a totally different question, although one that could be easily solved by stripping those characters on the frontend with javascript.

If there actually is malware being sent to your server, please take your time to handle file uploads correctly. They are very difficult to get right, but there are hundreds of articles out there that focus on how to limit attack vectors within upload forms, so please go through those and make sure you close as many holes as possible before you push upload code to production.

edit:

Here is an article that should help you with image upload security

Full Secure Image Upload Script

James Driver
  • 18
  • 1
  • 6