0

My file upload routine first checks to make sure the user is logged in to the wordpress application which is hosting the upload form...CHECK!

Here is the code at the top of my uploader utility that does this...

if (!is_user_logged_in()){
    die("You Must Be Logged In to Access This");;
}

So far so good. Now I'm seeking to further secure the upload utility to prevent malicious scripts from being extracted from the uploaded zip files (the upload requires a zip file).

The downside to using a zip, I presume, is that it can contain any number or type of files that might make it more complicated to handle than otherwise.

So my question is for tips on how to further secure this uploader to make sure no malicious files are sent. The desired allowed files are .php, .jpg, .gif, .png

Scott B
  • 38,833
  • 65
  • 160
  • 266

1 Answers1

0

Your approach goes the wrong way. You need to make sure that none of the files in the ZIP file are ever going to be used in a situation in which malicious files could do any damage.

You will never be able to guarantee that an uploaded ZIP file contains only non-malicious data. To do that, you would have to virus scan it, parse the containing PHP code, and whatnot.

Just see that whatever maliciousness is contained, can never unfold.

For PHP scripts, for example, you would have to ensure that they are not stored anywhere where they can be called from the outside, and executed.

For images.... Well, if you want to make totally sure they don't contain any exploits that attack image displaying components, you could always copy them using PHP´s gd functions, destroying any EXIF Metadata (and probably any other harmful stuff) in the process.

There is still some basic sanitation one could and should do. Check out this question (link below, markdown seems broken right now) for more reading on the issue - especially bobince's answer and the link he posts. That taught me a lot.

How to make a safe file upload script in php?

Community
  • 1
  • 1
Pekka
  • 442,112
  • 142
  • 972
  • 1,088
  • Thanks for the info Pekka. This is for a wordpress theme that will receive periodic updates. Rather than requiring the whole theme to be deleted and overwritten, I'm seeking to provide a means, via the theme's own options panel, to install/upload a zip file that updates the relevant files. – Scott B Jan 27 '10 at 17:27
  • Pekka, would it be more secure to do something similar to what wordpress itself does. Provide an "upgrade" button that automatically updates the installation remotely? I have no idea how they do this but I'd like to find out if its a better way to do what I want to do... – Scott B Jan 27 '10 at 17:28
  • Hmm. I think when installing upgrades (and thus, probably, PHP files), you have no real way of securing anything. How do you want to tell apart malicious PHP code from benevolent code? Impossible to do. You'll have to trust the download location you fetch your updates from, and make *real* sure that can't get compromised. – Pekka Jan 27 '10 at 17:32
  • If I go with the localized upload (via theme options with a zip file), would it be more secure if I send a password in the email and require that password to be used before the upload will process? – Scott B Jan 27 '10 at 19:05
  • It will hardly add security, will it? If I have FTP access to a site, I can hack it anyway, be it with the help of your template or without. – Pekka Jan 27 '10 at 19:16
  • Good point, but I'm just covering my own due diligence with my code. If the ftp gets compromized, that's not under my control :-). I'm sending this to customers of my theme so I'm covering DD in that regard... – Scott B Jan 27 '10 at 19:25
  • I see. Well what you can do is what many Open Source packages do, publish the MD5 hash value of the file, as a possibility for the receiver to check the integrity of the file before uploading. You could also, as an additional safeguard, connect to your central server and check whether the md5 hash of an uploaded file matches that of the current official release. That's all I can think of. – Pekka Jan 27 '10 at 19:59
  • I think your answer perhaps indicates that you are responding to the case that I'm doing a remote background upgrade. My question is regarding a local upgrade in which I send the user a zip file via email and they take that and then login to their wordpress site, navigate to my theme options page and click "upload" to launch my upload routine. (continued, next comment).............................................................. – Scott B Jan 27 '10 at 20:24
  • So, I'm not concerned as much with the integrity of the zip file, rather I'm trying to prevent any malicious user from using the upload page for gaining access to the server. Short of doing the login check, what more should I reasonably be expected to do? – Scott B Jan 27 '10 at 20:25
  • Apart from rock hard password protecting both the upload form, and the script that receives and handles the uploaded file, I can't think of anything else. The latter is essential, though, of course. I think there will be a WordPress API function to ensure that the current user is logged in, right? If you rely on that, you can't do much wrong, and you'll provide the same level of security as the WordPress backend does. – Pekka Jan 27 '10 at 20:27
  • if (!is_user_logged_in()){ die("You Must Be Logged In to Access This"); } if( ! current_user_can('edit_files')) { die("Oops sorry you are not authorized to do this"); } – Scott B Jan 27 '10 at 22:44
  • Sounds all right. I wouldn't know what to add to this in order to increase security. If an attacker passes through WP's login check, everything is lost anyway. – Pekka Jan 27 '10 at 22:50