1

I have a rails app (v4.2). I have two actions that permit an image upload using paperclip. I have paperclip validation on the mime types.

Anti-malware on the server found a bunch of PHP files in /tmp like this one:

/tmp/RackMultipart20190610-9668-u9nebk.php

I assume they are created in the file upload process.

Two questions:

  1. How can I track down where they came from? Looking in my production.log, I see a bunch of 404s for posts to bogus joomla & wordpress .php paths but nothing that could have been responsible for these uploads.

  2. How can I prevent them in the future?

I'm using rack attack and can block .php file extensions but how can I block file uploads in forms?

We have two places where signed in members can upload images or PDFs. How can I block all other attempts to upload files?

Kevin Lawrence
  • 698
  • 7
  • 23

1 Answers1

2

File uploading by-pass is a common technique for uploading webshell's and other stuff.

There are 2 basic methods that will help you to decrease the amount of file uploaded to your server:

MIME Content-type validation: If you validate the content-type of the uploaded file you (since you just want images) you can assure that only image-type files are uploaded:

:content_type => ["image/gif", "image/jpg", "image/jpeg", "image/png", "image/bmp", "image/x-bmp"]

But this still can be bypassed, so you need to add another verification:

File extension validation: You also should add a file extension validation to assure you only permit image-type extensions to your upload.

I've find a cool post where it shows a good implementation of file extension validation: https://stevenyue.com/blogs/validate-attachment-file-size-and-type-in-rails/

Make sure you implement both of these techniques and you should be fine.

Igor Servulo
  • 371
  • 1
  • 9