phUploader File Upload Vulnerability

[gopat]

I noticed this phUploader security issue at: SecurityFocus.

Below is a summary from: SecurityFocusArchives :

Quote:

phUploader is prone to an arbitrary file-upload vulnerability because the application fails to sufficiently sanitize user-supplied input.

Could you provide a code snippet to sanitize the user input, or better yet add it to a new version?

Great script, keep up the good work!

[Scott]

It's not really a vunerability but rather an annoyance. If someone uploads a file with a special character you may not be able to delete it though FTP. Make sure you set file extensions to exclude file types that are prone to cause attacks suchs as exe, src etc as the script cannot tell if the file is an exploit. It may also be helpfull to run a virus scanner in the background like you shoud be doing on a server anyways.

To fix it do this:

After (line 185):

PHP Code:

// For random names
If($random_name){
    $file_name[$i]=time()+rand(0,100000).".".$ext;
} Else {
    $file_name[$i]=$_FILES['file']['name'][$i];
} 


Add:

PHP Code:

$sanatize = array(" ", "`", "\"", "\'", "\\", "/");
$file_name[$i] = str_replace($sanatize,"",$file_name[$i]); 


Thanks for letting me know about this and thanks for using my script!

[gopat]

Sweet! I will do that! Thanks for the speedy reply.

[gopat]

I added the suggested code but encountered an error from the "\" section, which I replaced with "\\" to escape the escape character and avoid the error missing the double quote.

Then I reduced the code to test just file names with spaces, since I really need this feature... My sanitize line is now:
$sanatize = array(" ");

This was very easy to test by uploading file names with spaces. The program completed but it did not remove the spaces in the uploaded file names. Any ideas why? Can you verify this?
Thanks!

[gopat]

Oops, I forgot to mention that the "random_name" variable is set to false, so the code will be executed in the "Else" clause.

[Scott]

Sorry, I didn't test the above code before posting it as I was in a rush. I throughly tested this and it works. Remove any previous changes.

Replace:

PHP Code:

// For random names 
If($random_name){ 
    $file_name[$i]=time()+rand(0,100000).".".$ext; 
} Else { 
    $file_name[$i]=$_FILES['file']['name'][$i]; 
} 


With:

PHP Code:

// For random names
If($random_name){
    $file_name[$i]=time()+rand(0,100000).".".$ext;
} Else {
    $sanatize = array(" ", "`", "\"", "'", "\\", "/"); 
    $file_name[$i]=str_replace($sanatize,"",$_FILES['file']['name'][$i]);
} 


[gopat]

The new code will throw an error (see below), I think due to the back slash cancels the double quote (see fix below). However, I was not able to test my changes in the code.

It worked like a charm after the above change. I was able to test uploading a file with spaces and they were removed as expected. Thanks for your effort!

Quote:

//Error below:
PHP Parse error: syntax error, unexpected '"', expecting ')'

//Here is the line of code that fixed it, note the double back slash...
$sanatize = array(" ", "`", "\"", "'", "\\", "/");

[Scott]

Weird!! it's the forums software that was removing my double back slash.. I knew I tested that code right before I posted it.

Glad it worked for you