Is this section of PHP code vulnerable to loading an arbitrary file?

S

sr362020-04-20 12:21:28

PHP

sr36, 2020-04-20 12:21:28

Good afternoon. Now I am finalizing a small site, initially I did not write the code. I came across the following piece of code

session_start();
if (0 < $_FILES['file']['error']) {
    echo 'Error into upload.php file.';
} else {
    $id = $_POST['user_id'];
    $type =  $_POST['type'];
    if (!file_exists('uploads/' . $id)) {
        mkdir('uploads/' . $id, 0777, true);
    }
    $infos = pathinfo($_FILES['file']['name']);
    if ($type == "attachments") {
        $allowed_extensions = array("psd","ai","eps","pptx","rtf","wma","odp","ods","sxw","sxi","sxc","dwg","xps","jpg","jpeg","png","gif","svg","pdf","doc","docx","key","ppt","odt","xls","xlsx","zip","rar","mp3","m4a","ogg","wav","mp4","mov","wmv","avi","mpg","ogv","3gp","3g2","mkv","txt","ico","exe","csv","java","js","xml","unx","ttf","font","css");
        if (in_array($infos['extension'], $allowed_extensions)) {
            $file_name = $_FILES['file']['name'];
            move_uploaded_file($_FILES['file']['tmp_name'], "uploads/" . $id . "/" . $file_name);
        }
    } else {
        if ($infos['extension'] == "jpg" || $infos['extension'] == "png") {
            $url = "uploads/" . $id . "/" . $id;
            move_uploaded_file($_FILES['file']['tmp_name'], $url . "." . $infos['extension']);
            if ($infos['extension'] == "png") {
                imagejpeg(imagecreatefrompng($url . "." . $infos['extension']), $url . ".jpg", 90);
                unlink($url . "." . $infos['extension']);
            }
        }
    }
}
?>

It became interesting whether this piece of code is vulnerable to loading a file with a php extension. On the one hand, only extensions from the "white list" are filtered. On the other hand, the in_array($infos['extension'], $allowed_extensions) check does not inspire confidence. Not enough experience to understand, I will be grateful for the help

Reply

Answer the question

In order to leave comments, you need to log in

4 answer(s)

E

Eugene, 2020-04-20
@Nc_Soft

As a rule, the vulnerability is more determined by the configuration of the web server. What files and how it can execute.

N

nokimaro, 2020-04-20
@nokimaro

I see in the code the ability to upload a file outside the folder by uploads/replacing it $_POST['user_id']
Depending on the server settings, potentially, in conjunction with the rest of the code, you can overwrite it on the server or add your own

robots.txt
sitemap.xml
any JS used on the site
any CSS used on the site
any images used on the site

X

xmoonlight, 2020-04-20
@xmoonlight

$id = $_POST['user_id']; //тута опа!
$type =  $_POST['type'];
if (!file_exists('uploads/' . $id)) {
        mkdir('uploads/' . $id, 0777, true);
}

Filter all input parameters through regular expressions!

Q

qdevelopment, 2020-04-21
@qdevelopment

First, information such as user_id is usually stored in the session. In your case, it turns out that the user can enter the user_id of another user (and the value is not filtered) and upload the file to his folder.
Secondly, you cannot save the file with the name specified in the request from the user. Generate a unique string and store with this name and whitelisted extension.