PHP arbitrary file upload Vulnerability, CVE-2 0 1 5-2 3 4 8-a vulnerability warning-the black bar safety net

2015-04-03T00:00:00
ID MYHACK58:62201560694
Type myhack58
Reporter 佚名
Modified 2015-04-03T00:00:00

Description

Security researchers today published a medium-risk vulnerabilities--PHP arbitrary file upload Vulnerability, CVE-2 0 1 5-2 3 4 8 in. In the Upload File only when the determined file name is the legal name of the file to conclude that this file is not malicious file, which will indeed lead to other security issues. And in this case, in your own file to check the vulnerability is not real, because this vulnerability can bypass you for the file name suffix, file type(Content-Type), Mime type, file size, etc. of the check, so only rely on these checks is not going to save you. Vulnerability details This vulnerability exists in php in a very commonly used function: the move_uploaded_files, the developer always use this function to move the uploaded file,this function will check is upload whether the file is a legitimate file(whether it is through the HTTP post mechanism to upload), if it is a legitimate file, then it is certain to a specified directory. Example: move_uploaded_file ( string $filename , string $destination ) The problem here is that you can in the file name to insert a null character(many times before to fix this vulnerability, such as CVE-2 0 0 6-7 2 4 3), by inserting null characters, an attacker can upload arbitrary files, caused by a remote code execution vulnerability. I'm here with DVWA to demonstrate this example, DVWA level up a title because of various reasons not very easy to pass, intended to tell developers how to develop more secure file upload components. Let's look at this example: Code fragment: $uploaded_name = $_FILES['uploaded']['name']; $uploaded_ext = substr($uploaded_name, strrpos($uploaded_name, '.') + 1); $uploaded_size = $_FILES['uploaded']['size']; if (($uploaded_ext == "jpg" || $uploaded_ext == "JPG" || $uploaded_ext == "jpeg" || $uploaded_ext == "JPEG") && ($uploaded_size This code has many loopholes, such as XSCH, XSS, but no RCE this serious vulnerability, because from PHP 5.3.1 to start, the empty character of the problem has been fixed. The problem here is that the DVWA users to upload the name parameter passed to the move_upload_file()function, then the php implementation of the operation may be is like this: move_uploaded_file($_FILES['name']['tmp_name'],"/file.php\x00.jpg"); This was supposed to create a named file. php\x00. jpg files 但 实际上 创建 的 文件 是 file.php the. Thus, it bypasses the code in the suffix of the name of the check, and it turns out the GD library and a lot of other functions also have this problem(such as getimagesize(), imagecreatefromjpeg (), etc...), you can see this example. If you machine the php version in 5.4.39, 5.5. x – 5.5.23, or 5.6. x – 5.6.7, you can check the file name whether there is a\x00 character to resolve herein the issue. Safety recommendations If your machine is on the existence of this vulnerability, we recommend using a random string to rename the file name, instead of using the user to upload up to the name parameter value.