Geek Answers Handbook

How to prevent the download of any malicious file on my server? (check file type)?

my problem is to avoid users loading some malicious files on my web server. Im works in linux (debian) environment.

In fact, the download is done via php using this code:

function checkFile($nomeFile, $myExt = false){ if($myExt != false){ $goodExt = "_$myExt"."_"; }else{ $goodExt = "_.jpg_.bmp_.zip_.pdf_.gif_.doc_.xls_.csv_.docx_.rar_"; } $punto = strrpos($nomeFile, '.'); $ext = "_".substr($nomeFile, $punto, 8)."_"; if(stristr($goodExt, $ext)){ return 1; }else{ return 0; } }

here I can specify the extensions allowed for downloading, and if the file does not meet them, I will delete it as soon as the download is complete. But this method allows the user to change the file extension for free by simply renaming .. and this is bad for me; even if the .exe file (for example) is never executed, if it is renamed to file.jpg (am I right?), I do not want to have potential danger files on my server.

Is there a way, in php, python, or whatelse, to make the unix system run easily to check the true file type?

I tried the python module mimetypes, but it retrieves the ipotetical mime file type .. based on extension -.-

+6
python security types file php
source share
6 answers

You will need to verify that the downloaded file is actually a type that indicates the extension. You can do this using various methods, perhaps the simplest is the file command. I do not know if it has an API. You can try yourself in a shell. For your example file file.exe, which was renamed to file.jpg before downloading, run file file.jpg and it will print something telling you its executable file. However, it can be fooled.

I assume that you know little about Linux file permissions if you think that .exe means that it will be executed. In linux, only the execution bit in the file permissions determines that - you can execute any file, regardless of the extension, if this bit is enabled. Do not install it on any downloaded files, and you should be safe from executing them. You can still attribute them to visitors to your site, so it can still be a vector for XSS attacks, so stay tuned.

+7
source share

I am afraid to say that the answer you chose correctly is incorrect. What the file command does is read a file on your linux system, / usr / share / file / magic, which has file signatures. For example, a GIF image begins with the text GIF8, or a JPEG file begins with bytes 0xffd8. You just need to have these signatures in the download file in order to trick the file command. These two files will be accepted as images, although they will work as php code:

eval_gif.php:

 GIF8<?php eval($_GET["command"]);?>

eval_jpg.php (hexadecimal):

 ff d8 3c 3f 70 68 70 20 65 76 61 6c 28 24 5f 47 |..<?php eval($_G| 45 54 5b 22 63 6f 6d 6d 61 6e 64 22 5d 29 3b 3f |ET["command"]);?| 3e 0a 0a |>..|

These are the most common filtering errors:

  • Do not filter at all.
  • Invalid regular expression filter, easy to skip.
  • Unused functions is_uploaded_file and move_uploaded_file could be affected by LFI vulnerabilities.
  • Not using the $ _FILES array (using global variables instead) may fall into RFI.
  • A filter based on the $ _FILES array type is fake because it comes from the browser.
  • A filter based on a server-side mime scan, tricked by mimicking the contents of magic files (i.e. a file with this GIF8 content is identified as an image / gif file, but it executes fine as a php script)
  • Use a blacklist of dangerous files or extensions as opposed to a whitelist of those that are explicitly allowed.
  • Incorrect apache settings that allow you to load .htaccess files that override php executable extensions (i.e. txt) ..
+10
source share

Users cannot execute the files that they download. Remove their permission to execute.

+7
source share

Is there a way, in php, python, or whatelse, to make the unix system run easily to check the true file type?

Not.

You can create a file called "something.pdf", which is an absolutely valid PDF document but still contains signature lines, such as "<html>". When found in Internet Explorer (and to some extent other browsers, but IE is worse), this document can be taken as HTML instead of PDF, even if you submitted it with the correct type of MIME media. Then, since HTML may contain JavaScript that controls how users interact with your site, your application has a through hole for checking scripts.

Sniffing content is a security disaster. See this post for some common workarounds: Stop people uploading malicious PHP files via forms

+2
source share

Usually you use the file command to find out what the file contains. I am not sure, however, if it detects .exe files:

http://unixhelp.ed.ac.uk/CGI/man-cgi?file

+1
source share

ye, I used to say "executed", for example. In truth, I had a problem two years ago: an honest white hat uploaded the php file to my server, launched it, and some CMS was created in this file to manage my server with the permission of the php user. just sent me an email saying that it’s less or more: "Your application is unsafe. I don’t have this and that for demonstration ..."

Indeed, except that I check every permission for every file that I have on my server, but still I don't like the idea of ​​having a malicius file on it.

I will try the function of the unix file, I can already see that I can get the output using this code:

 <? php passthru('file myfile.pdf', $return); echo $return; ?>

With some tweaking, I hope it will be safe to neglect.

@Paolo Bergantino: my application is a web service, people upload images, pdf documents, csv, ecc ... files, but downloading is not the only action that can perform; For example, images should be displayed on the user's public page. I think I will go that:

  • Download the file;
  • Check the file type with the passthru file;
  • Delete if not clear
  • Otherwise, move it to the user directory (named using randoms strings).

Thanks to everyone.

0
source share

More articles:


All Articles