Reputation: 11
Prevent upload shell files. php
I have image upload website. Someone is uploading here shells files. My validations are: - Check file's mime (only image's mimes able) - Check if getimagesize returning array (by is_array) If not, error. And still, Someone is uploading shells files. Please help. Thnkas alot!
Little check:
$ext = ($_FILES['files']['type']);
if (($ext != "image/jpeg") && ($ext != "image/pjpeg") && ($ext !="image/png") && ($ext != "image/gif") && ($ext != "image/bmp") && ($ext != "image/x-icon") && (!is_array(getimagesize($_FILES['files']['tmp_name'])))) {
// Show error
} else {
// Keep upload...
}
Upvotes: 0
Views: 1676
Answers (1)
Reputation: 927
You should check the files permissions, the should not be executed by php. It's easy to store data in the raster data matrix of an image (obviously).
Look at these innocent jellyfishes :
Stackoverflow converted my innocent .BMP in a .PNG
The original .bmp can be found on a friend's server. If you look in the bottom-left corner, you will see strange pixels, corresponding to ascii data written in the pixel data.
In order to avoid shell files, you should apply a modification which will alterate a little bit every pixel of the images.
To me, convertion (compression) seems a good start.
Good luck !
Upvotes: 1
Related Questions
- PHP file manager upload / block PHP files
- How to stop a file named filename.php.jpg from uploading
- Block certain files from being uploaded
- How Can I Allow Uploading PHP Files to the Server Without Executing Them
- prevent upload php script to be executed
- Block upload of executable images (PHP)
- Stop people uploading malicious PHP files via forms
- How to prevent unwanted files when a website offers image upload using PHP?
- How to prevent php from uploading files:
- How to handle upload of .php files without possibility of executing them?