Reputation: 5954
Not validating file, a security issue?
I'm just reading this documentation and came across the following sentence: "Not validating which file you operate on may mean that users can access sensitive information in other directories."
First of all, it doesn't explain what constitutes "validating" in this context, so I was hoping somebody would be able to clarify this for me.
Lastly, how exactly would users be able to access other directories if one didn't "validate" the file they're operating on?
Upvotes: 0
Views: 22
Answers (1)
Reputation: 46610
It means if you don't validate the file which is uploaded, you potentially open yourself up to someone simply uploading a PHP script.
Depending on whether you place that file in an accessible location in your webroot, will determine whether the user/attacker can run it.
So if you expect images, check its an image. If you expect .xml check its an xml file.
The second part of your question, it's trivial to traverse the filesystem once you have a backdoor.
Upvotes: 1
Related Questions
- Basic PHP Upload Form Issue
- PHP file verification
- File upload validation in PHP
- PHP Upload File Validation
- PHP File Upload + Form Validation
- PHP upload validation not working
- PHP - File Upload Security, Why Won't This Method Work?
- PHP security. Check uploaded files are valid
- PHP file upload validation
- Secure File Upload and validating it