I just transferred a website to a new server and have a strange problem. On all of the pages that have a PHP include command, the file stopped uploading, and cut off everything from that line of PHP down. Not just when executing, but when uploading the file via FTP. I can remove the include command, and it uploads the full 4KB page, but with it, the page only uploads the 1KB before the command. What gives?
allow_url_include is turned on, the file that's included is just basic HTML, and it worked fine on the old server... I've never been unable to upload a file because of a problem in the code before. Any ideas?
That might be a security measure from the hosting company.
It is a common attack vector to brute-force FTP passwords then add/modify PHP scripts to include() malicious code from another compromised server.
I would contact the hosting company and ask them. They may have to lower their security for you, add your IP address to a whitelist, or provide an alternative method for uploading files (SSH/SFTP for example).
If you can't contact the system administrator and have SSH access then try connecting by SFTP and uploading again.
Related
I have a project briefly described as follows:
There is a server which allows clients to upload 7z-compressed files which are expected to contain only XML files. The uploading is via FTP (server-side using FileZilla Server). I have did some basic restriction like enforce firewall rules that only IP's in the white list can do file transfer.
On scheduled time, the server-side batch script will decompress the 7z files and then some PHP programs will process the XML files.
It works fine so far. But I guess it is lack of security considerations. Is it possible that the PHP program opens some fake XML file which might result in some bad consequence? Or is it possible the 7z files are camouflages of virus or something dangerous, and the decompressing just trigger their malicious behavior? I would like to ask for opionions about how I can validate the files before using them?
Thank you!
We have a server that has been compromised that is running WordPress and Magento and is running them on about 5 domains all on the same server.
The hacker has been uploading there malicious scripts through all the file-system in hundreds of locations. It is a nightmare at this stage and I am still unable to find the entry point.
I did just notice that one of our AJAX image upload fields allows me to rename a PHP file as a .jpg and upload the file to the server.
When I access the PHP .jpg file in the browser is serves a broken image.
So I am not sure if the hacker would be able to upload a PHP file here and access it as a PHP file or if it would just serve it as a broken image fore like it did for me in the browser?
Any ideas on how much of a security threat this could be? Could it potentially be my entry point where hacker gained initial access? Or is the fact it serves as a broken image instead of processing the PHP file when I load in my browser mean that its somewhat secure?
Any help appreciated, thank you
Hard to say if the hacker has done something without actually checking what's there.
Regarding how to secure future image uploads I would advice using a function like finfo in PHP http://php.net/manual/en/function.finfo-file.php to find if a file belongs to any of the approved mime types, which btw, you should restrict to only a limited type of image types.
Also you should consider not allowing the use of the original image, but instead an adjusted version of it, to avoid that users end up downloading huge images or things like that.
Answer:
Usually (depending on the web server configuration) no one can execute a PHP file if it has a different extension, they could have upload it, but they can't run it, at least in any common configuration.
So, in theory you should not have to worry for that specific thing, but do be worry that someone is spending time in trying to hack you and that means you should expend time protecting the site and server.
I would recommend searching for articles on how to protect your specific server and configuration and to make sure you update your software, OS and such to the latest security updates.
Being able to upload a file with .jpeg file extension but PHP content is not a vulnerability in itself. However:
if the attacker is writing all over the file system you might have an upload function with a directory traversal vulnerability which will need fixing, ideally by not letting the uploader choose their own filename at all;
there are other problems to do with cross-site-scripting when you let users upload content to be served from the same hostname as the site;
it may be worth checking an uploaded file using something like getimagesize() to ensure that you have a JPEG file and non-ridiculous dimensions, but given the possibility of ‘chameleon’ files that can be interpreted as multiple different types this is not necessarily watertight, so this is a ‘defense-in-depth’ measure at best.
Getting a web server to run a .jpeg file as PHP code could happen by:
being able to write to server configuration to associate .jpeg with the PHP handler. Typically this would happen because another vulnerable file upload feature allowed an attacker to write a .htaccess file in the same directory for Apache to pick up.
a PHP script with a Local File Inclusion security hole. Typically this would be code like:
include("include/$variable");
where an attacker can get content into $variable, to point to something.jpeg. Generally include/require should never be used with variables unless those variables are explicitly limited to a few known-good values.
The other likely possibility if you have a load of malicious pages uploaded to your server is that your server login is compromised.
I am trying to move a website from one server to another. However, when I try to access this website in a browser it only downloads a 1kb file called "download." What could be causing this? The original site has SSL certificates as well as a lot of code written in php, sql, json, ajax, etc.
This question was closed as "not a real question" but I did not have time to respond to the comments. If this is a simple answer then, by all means, please give me the answer. *I have moved all files from the old server to the new server using an ftp client. All of the files have moved successfully. When try to login to the base page, or go to the index.php page, all that happens is a 1kb download titled "download" begins and ends. This file has no extension and is not able to be opened. * This problem has also occurred over multiple hosting companies as I have been trying to move this site for two weeks now.
I have had a similar problem before.
Try opening the "download" file with a text editor (perhaps rename it to download.txt to make it easier to open)
Once you have opened the file you will probably see the source of index.php. This would indicate that it is due to a misconfiguration of your server, possibly due to whoever set up the server of possibly due to your own .htaccess.
Firstly try deleting your .htaccess (some ftp clients may hide it). Does it work now?
If not try uploading a text file or image and checking if this file is being served, if not then there is something gravely wrong with the server config, probably not due to you.
If this does work then it is due to the PHP configuration, essentially the script is not being sent to PHP for processing, if this is the case then I would make sure PHP is installed and allowed on that server.
I've hosted a site on a shared hosting server.
I've a given permission 776 to a folder, is it possible for someone to upload a file using move_upload_file to my server from his home pc or own server ?
Edit
If i do not provide the front panel or some UI to the user is it still possible to upload file ?
You use move_uploaded_file (note: upload*ed*) to move/rename files in your PHP scripts on your server. The special thing about move_uploaded_file vs. rename is that it will check whether the file was just uploaded in the same HTTP request. If it wasn't, it will fail with an error.
This is to prevent errors in your script or malicious users from tricking your server into moving any other sort of files around that you didn't intend to move. Using it you can be sure that you're only moving uploaded files out of the temp directory to some other destination.
That's all it does. It does not upload files to some other server. You cannot simply upload files to some other server without that server handling that upload somehow (like through a PHP script, FTP, SCP etc).
Not sure what you're asking exactly.
If you're saying, can you make an HTML form and have someone hit that from their browser to upload. That depends what user apache runs as. You can make an HTML form, catch it with PHP and use move_uploaded_file if whatever user apache runs as can create a file in that directory.
If you're thinking someone can write a php script on another computer, and use the function move_uploaded_file, then no, you definitely can't. That's not what that function does. I'd recommend using SCP for something like that.
No, if you do not provide a script which receives the file and moves it, some other user can't upload a file to your server.
All move_uploaded_file does is move a file from the temporary directory on the hard drive to a different location on the same hard drive. It cannot put files on someone else's computer.
Your question is equivalent to asking whether your next door neighbor can copy child pornography onto your home PC's hard drive over the internet. You should be happy that the answer is no.
I'm doing a security audit on my friend's website. One piece of functionality is allowing users to upload files from html. The only validation is renaming the file to the current time stamp.
I was wondering, is there a way to upload a malicious file so that when a user goes to the url for that file, it executes code (on the server side)?
I tried uploading a hello-world php script, but it simply displays the code rather than executing it. If the file extension was .php, it would be executed, however, there is no file extension (because the file was renamed).
EDIT: I have access to the complete source code as part of the security audit. It would be better if I could solve this issue without using it, but I can answer any questions about the source code if needed.
As far as i know, uploading the file and visiting it via. the browser can not execute it server-side, unless the server is set to execute files without extensions.
However, if there's other vulnerabilities like Local File Inclusion you might be able to upload and execute a php script.
You can read a bit about File inclution here:
Wiki on RFI (almost the same) and here
Document on LFI and how it can be used
If you can execute the file or not depends allot on the server/sites setup, so you'll have to pen-test it you self to se if you can execute a php script.
The only thing you can do in a file with no extension is, as you mention your self, XSS, but only in older browsers (IE8 and down is vulnerable, most other browsers aren't.)
The security scanner Chorizo! might be of interest:
https://chorizo-scanner.com/
The solution was implemented by a company, which does daytime PHP consulting and coding.
It's a payed service. One scan is free.
Well, one thing that you would always remain at risk for is providing the possibility of getting malicious code onto the server - whether or not they would be able to execute it merely by viewing the URL of the specific file isn't all you have to think about.
If there was a vulnerability in YOUR code where you dynamically include or open local files on the server, then one could simply include the (now) local malicious code to be executed. Now granted this sort of attack is even common with people trying to include code on remote servers, but some setups are configured to prevent including remote files which would stop those attacks. Such a configuration would still leave you vulnerable if the code is physically on the machine and a weakness is found in your executable code.
That's just a thought - I wouldn't worry or panic too much about it, but I wouldn't entirely rule it out either.
From my understanding a lot of web output relies on reading files not actually executing them. A server will need specific permissions to execute a file.
The solution is firstly to check that the file types uploaded are allowed. If you are only uploading images - you don't expect a .php script. But this does not stop me creating bad.php and uploading it as bad.jpg.
I for example (on my ubuntu box) uploaded a php file with 777 permissions and could only run it by typing php hello.php. You would never normally do an include() on a file someone has uploaded so I believe most code relates to being readable.
Wikipedias page on File inclusion is a good start and includes a PHP example:
https://en.wikipedia.org/wiki/File_inclusion_vulnerability
Upload a file with javascript. There are plenty of js vulnerabilities.
http://en.wikipedia.org/wiki/Cross-site_scripting