0

I have image upload website. Someone is uploading here shells files. My validations are: - Check file's mime (only image's mimes able) - Check if getimagesize returning array (by is_array) If not, error. And still, Someone is uploading shells files. Please help. Thnkas alot!

Little check:

$ext = ($_FILES['files']['type']); if (($ext != "image/jpeg") && ($ext != "image/pjpeg") && ($ext !="image/png") && ($ext != "image/gif") && ($ext != "image/bmp") && ($ext != "image/x-icon") && (!is_array(getimagesize($_FILES['files']['tmp_name'])))) { // Show error } else { // Keep upload... }
Improve this question
2
  • 1
    Besides the fact somebody can upload shells I wonder how they run them. Do you let people upload files in a public location? Commented May 20, 2013 at 0:26
  • Could you show us your code? Commented May 20, 2013 at 0:30

1 Answer 1

Reset to default
1

You should check the files permissions, the should not be executed by php. It's easy to store data in the raster data matrix of an image (obviously).

Look at these innocent jellyfishes :

Innocent jellyfishes

Stackoverflow converted my innocent .BMP in a .PNG

The original .bmp can be found on a friend's server. If you look in the bottom-left corner, you will see strange pixels, corresponding to ascii data written in the pixel data.

In order to avoid shell files, you should apply a modification which will alterate a little bit every pixel of the images.

To me, convertion (compression) seems a good start.

Good luck !

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Ha ha. Same thing i did a while back. Only that i used a gif, as the first few bytes of gif is text and does not cause much problem with scripts.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.