1

So I have this file upload system that is supposed to only accept the file types in $allowedExts but some guy keeps breaching the system with a file called angel.jpg.php. I think he has changed the mime type but I am still wondering how he breached the extension check. Help would be appreciated. Thanks in advance.

<?php    
$allowedExts = array("gif", "jpeg", "jpg", "png", "bmp", "doc", "pages", "docx",  "pdf","ppt","pptx","xls","xlsx");

$temp = explode(".", $_FILES["file"]["name"]);
$extension = end($temp);
$extension2 = pathinfo($target_file,PATHINFO_EXTENSION);

if (($_FILES["file"]["type"] == "image/gif")
|| ($_FILES["file"]["type"] == "image/jpeg")
|| ($_FILES["file"]["type"] == "image/jpg")
|| ($_FILES["file"]["type"] == "image/pjpeg")
|| ($_FILES["file"]["type"] == "image/x-png")
|| ($_FILES["file"]["type"] == "image/png")
|| ($_FILES["file"]["type"] == "image/bmp")
|| ($_FILES["file"]["type"] == "application/msword")
|| ($_FILES["file"]["type"] == "application/x-iwork-pages-sffpages")
|| ($_FILES["file"]["type"] == "application/vnd.openxmlformats-officedocument.wordprocessingml.document")
|| ($_FILES["file"]["type"] == "application/pdf")
|| ($_FILES["file"]["type"] == "application/vnd.ms-powerpoint")
|| ($_FILES["file"]["type"] == "application/vnd.openxmlformats-officedocument.presentationml.presentation")
|| ($_FILES["file"]["type"] == "application/excel")
|| ($_FILES["file"]["type"] == "application/vnd.ms-excel")
|| ($_FILES["file"]["type"] == "application/x-excel")
|| ($_FILES["file"]["type"] == "application/x-msexcel")
|| ($_FILES["file"]["type"] == "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet")
&& in_array($extension, $allowedExts) && in_array($extension2, $allowedExts) && getimagesize($_FILES["file"]["name"])!=='FALSE')
{
// Upload file
}

else {
// Do not upload file
}
Improve this question
5
  • 2
    Your logic is flawed, because the conditions for the extension are &&-linked to the last of your mime type conditions only, because && has higher precedence than ||. You need to put another set of round brackets around all those ||-linked conditions. Commented Nov 16, 2014 at 12:26
  • try to minimize the logical conditions by putting the $_FILES["file"]["type"] into a variable Commented Nov 16, 2014 at 12:28
  • And combining all those none-image mime types with getimagesize does not make much sense either – I doubt that getimagesize will return anything but false if you let it check f.e. an excel document. Commented Nov 16, 2014 at 12:30
  • So do I need to look at the file content then? Commented Nov 16, 2014 at 12:35
  • Drop all that and replace it with an array and in_array($realMimeType, $arrayOfAllowedMimeTypes, true) Commented Nov 16, 2014 at 13:07

1 Answer 1

Reset to default
2

As nobody added more useful tips.
I decided to search for them myself.
I found some pretty good tips on various websites.

Here are two of them:
http://hungred.com/useful-information/secure-file-upload-check-list-php/
http://nullcandy.com/php-image-upload-security-how-not-to-do-it/

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.