Code execution from uploaded files

4
votes

I'm doing a security audit on my friend's website. One piece of functionality is allowing users to upload files from html. The only validation is renaming the file to the current time stamp.

I was wondering, is there a way to upload a malicious file so that when a user goes to the url for that file, it executes code (on the server side)?

I tried uploading a hello-world php script, but it simply displays the code rather than executing it. If the file extension was .php, it would be executed, however, there is no file extension (because the file was renamed).

EDIT: I have access to the complete source code as part of the security audit. It would be better if I could solve this issue without using it, but I can answer any questions about the source code if needed.

5
phpfile-uploadsecurity
I can promise that this isn't to be malicious. This is an assignment for a Web Programming class that I am taking. The site in question has many security vulnerabilities (such as SQL injection and XSS). I'm trying to see if its file uploading mechanism is another vulnerability. - matzahboy
you might what to look into "cross protocol scripting" too - tereško

5 Answers

1
votes

As far as i know, uploading the file and visiting it via. the browser can not execute it server-side, unless the server is set to execute files without extensions. However, if there's other vulnerabilities like Local File Inclusion you might be able to upload and execute a php script.

You can read a bit about File inclution here: Wiki on RFI (almost the same) and here Document on LFI and how it can be used

If you can execute the file or not depends allot on the server/sites setup, so you'll have to pen-test it you self to se if you can execute a php script.

The only thing you can do in a file with no extension is, as you mention your self, XSS, but only in older browsers (IE8 and down is vulnerable, most other browsers aren't.)

1
votes

The security scanner Chorizo! might be of interest:

https://chorizo-scanner.com/

The solution was implemented by a company, which does daytime PHP consulting and coding.

It's a payed service. One scan is free.

0
votes

Well, one thing that you would always remain at risk for is providing the possibility of getting malicious code onto the server - whether or not they would be able to execute it merely by viewing the URL of the specific file isn't all you have to think about.

If there was a vulnerability in YOUR code where you dynamically include or open local files on the server, then one could simply include the (now) local malicious code to be executed. Now granted this sort of attack is even common with people trying to include code on remote servers, but some setups are configured to prevent including remote files which would stop those attacks. Such a configuration would still leave you vulnerable if the code is physically on the machine and a weakness is found in your executable code.

That's just a thought - I wouldn't worry or panic too much about it, but I wouldn't entirely rule it out either.

0
votes

From my understanding a lot of web output relies on reading files not actually executing them. A server will need specific permissions to execute a file.

The solution is firstly to check that the file types uploaded are allowed. If you are only uploading images - you don't expect a .php script. But this does not stop me creating bad.php and uploading it as bad.jpg.

I for example (on my ubuntu box) uploaded a php file with 777 permissions and could only run it by typing php hello.php. You would never normally do an include() on a file someone has uploaded so I believe most code relates to being readable.

Wikipedias page on File inclusion is a good start and includes a PHP example: https://en.wikipedia.org/wiki/File_inclusion_vulnerability

-2
votes

Upload a file with javascript. There are plenty of js vulnerabilities.

http://en.wikipedia.org/wiki/Cross-site_scripting