MJ Ray wrote:
"Dennis Dryden" ddryden@gmail.com wrote:
Maybe im just being naive but couldn't you just check the file extension/mime type to make sure uploads are images, and not allow execution rights on uploads?
Close but no cookie: the sender sends the file extension and mime type (so they can't be trusted), while things like PHP modules usually execute files without needing execution rights, so you need to explicitly switch them off.
Also: I'm approaching this from the POV of a server admin not a code writer (although I am both!). I want the server to guard against poor coding, not just rely on it not happening!
Apache determines how to interpret a file by file extension, so it wouldn't actually matter if someone uploaded a script with a .png extension; Apache would just serve it as an image not run it as a script. So just limiting the file extensions in writeable directories would be fine, except that there are so many to allow (.doc, .zip, .png, .jpeg, .jpg, etc for starters; any explicit list of allowable extensions is likely to forget useful ones like .odt etc which would be bad for other reasons), and listing the ones to disallow is open to missing something and needs knowledge of the server configuration (we have several sites which parse .html as PHP, for example).
So, this is a PITA. Anyone writing an apache module to stop things from server-writeable directories running?
The problem with apps like Joomla is that the have writeable directories scattered all over the place, and all under docroot. I don't really see a good reason to have any writeable dirs under docroot; ok so images can't then be served directly, but a script to pass them through safely is trivial and can then do other things (like dynamically resize images depending on requirements, limit access depending on access rights, or log view counts to a database).
Since with Joomla almost everything should go through index.php, I might try renaming that as index.phpx, and only letting .phpx scripts get executed (by which I mean "parsed as PHP"). But that only helps until someone uploads a .phpx file.... (Actually the exploit I just had to deal with relied on a file intended to be an include file being called directly, so this fix would have prevented the script getting uploaded in the first place. But that's got too much of a "special case" feel to me.)