Skip to main content
Information Security

Return to Answer

Fixed grammar
Source Link
edit approved Jan 6, 2017 at 19:22
user37636
edit approved Jan 6, 2017 at 19:22
user37636

TotallyI totally agree with the accepted answer,
butbut I would suggest thatto do alittlea little bit more than just playing around with file namethe filename. You should re-compress the original/uploaded file with phpPHP using GD or Imagick and use the new image. This way, you destroy any injected code  (well toto be honest, 90% of the timestime, there are ways to make the code survive the compression, but its alotit's a lot of work).

Also

Also, you could use .htaccess files to prevent the upload directory running phpPHP code  (iI don't know about IIS and there is probably an equivalent .webconfig  ).

<FilesMatch \.php$> SetHandler application/x-httpd-php </FilesMatch>

thisThis way, the uploaded file will be executed only if the "final extension" is phpis PHP, so image.php.jpg will not be executed

some resources:.

a nice article about file uploads Some resources:

php manual installing apache

Totally agree with the accepted answer,
but I would suggest that do alittle bit more than just playing around with file name. You should re-compress the original/uploaded file with php using GD or Imagick and use the new image. This way you destroy any injected code(well to be honest 90% of the times, there are ways to make the code survive the compression but its alot of work).

Also you could use .htaccess files to prevent the upload directory running php code(i don't know about IIS there is probably an equivalent .webconfig  )

<FilesMatch \.php$> SetHandler application/x-httpd-php </FilesMatch>

this way the uploaded file will be executed only if the "final extension" is php, so image.php.jpg will not be executed

some resources:

a nice article about file uploads

php manual installing apache

I totally agree with the accepted answer, but I would suggest to do a little bit more than just playing around with the filename. You should re-compress the original/uploaded file with PHP using GD or Imagick and use the new image. This way, you destroy any injected code  (to be honest, 90% of the time, there are ways to make the code survive the compression, but it's a lot of work).

Also, you could use .htaccess files to prevent the upload directory running PHP code  (I don't know about IIS and there is probably an equivalent .webconfig).

<FilesMatch \.php$> SetHandler application/x-httpd-php </FilesMatch>

This way, the uploaded file will be executed only if the "final extension" is PHP, so image.php.jpg will not be executed.

Some resources:

Source Link
akman
akman
  • 61
  • 1

Totally agree with the accepted answer,
but I would suggest that do alittle bit more than just playing around with file name. You should re-compress the original/uploaded file with php using GD or Imagick and use the new image. This way you destroy any injected code(well to be honest 90% of the times, there are ways to make the code survive the compression but its alot of work).

Also you could use .htaccess files to prevent the upload directory running php code(i don't know about IIS there is probably an equivalent .webconfig )

<FilesMatch \.php$> SetHandler application/x-httpd-php </FilesMatch>

this way the uploaded file will be executed only if the "final extension" is php, so image.php.jpg will not be executed

some resources:

a nice article about file uploads

php manual installing apache