Geek Answers Handbook

Is php fileinfo enough to prevent the download of malicious files?

Hey guys, I was looking a little and actually did not find a professional type answer on how to have a secure ability to download files, so I wanted to get the opinion of some experts on this site. I am currently authorizing the download of mp3 files and images, and although I am sure that I am preventing xss attacks and injections from entering my site, I am not very familiar with file security. I basically just use php fileinfo and check the array of accepted file types for file type. For images, there is a getimagesize function and some additional checks. As for storing them, I just have a folder in my directory, because I want users to be able to use files. If anyone could give me some advice, I would really appreciate it.

+7
security php
source share
6 answers

I usually call ClamAV when accepting files that can be shared. With PHP, this is pretty easy to accomplish using php-clamav .

One of the last things you want to do is distribute malware all over the world :)

If you can, do it in the background after the file is downloaded, but before you make it public. The oddity with this class is that it can load the entire ClamAV virus definition database into memory, which almost certainly stinks if PHP runs under Apache conditionally (think about +120 MB of memory per instance).

Using something like beanstalkd to scan downloads and then update your database to make them public, this is a very good way to get around this.

I mentioned this only because there were no other answers, I did not want this to be a complete solution. See Other Answers posted here, this is the step you should end with. Always, always, always sanitize your entrance, make sure it is of the expected type, etc. (I mentioned that you should also read other answers?)

+7
source share

"malicious" files are not the only way to damage your server (and if your site does not work, it harms your users).


For example, the ability to corrupt the server will load a lot of very small files:

  • he will not use all the disk space,
  • but can use all available inodes ...

... And when there is no free inode to the left, it is no longer possible to create any file; which is obviously bad.


After this, problems arise such as:

  • copyright
  • which does not suit you or your users (nudity?)

To do this, you have nothing to do with technical solutions, but the function "alert moderator" is often not needed ,-)

+4
source share

No, because it can be easily faked. There is an article that describes how to attack the server by downloading the 1x1 "jpg" file and how to prevent it. Well read.

+2
source share

Starting with "file-type" ($ _FILES ['userfile'] ['type']) is completely pointless. This is a variable in the HTTP post request, which can be ANY value that the attacker wants. Remove this check as soon as possible.

getimagesize () A great way to check if an image is real. Sound files can be more complex, you can call file /tmp/temp_uploaded_file on the command line.

The most important part of the downloaded file is the file extension. If the file is .php, then you just got hacked. Even worse, Apache can be configured to ignore the first file extension if it does not recognize it, and then use the following extension so that the file runs with the normal .php file: backdoor.php.junk . By default, this should be turned off, but it was turned on by default several years ago.

You SHOULD use the whitelist extension. Thus, you want to force the use of files such as: jpg,jpeg,gif,png,mp3 and reject it otherwise.

+2
source share

The first thing to do is to disable the execution of any server-side code (such as PHP) in this directory using the server configuration. Setting up a white list for MIME types (or file extensions, since your server uses them to determine the mime type in the first place), and only permission to use media files (and not HTML or anything else) will protect you from XSS injections. Those that combine with file type checking should be enough - the only thing I can think of that can go through this is things that use graphic / sound decoders, and also to determine what you need something next to the antivirus scanner.

+1
source share

if exiv2 cannot delete metadata, probably malicious or corrupted in any way at least. after installing exiv2 on your unix system. Unfortunately, this can be dangerous if the file contains malicious shell code. not sure how durable the exiv2 is the adversary, so use it with caution. I did not use it, but I thought about using it.

 function isFileMalicious($file) { try{ $out = []; @exec('exiv2 rm '.escapeshellarg($file).' 2>&1',$out); if(!empty($out)){ return false; } } catch(exception $e) { return false; } return true; }
0
source share

More articles:


All Articles