Best methods to avoid File Upload Vulnerabilities
Let’s discuss, How we can avoid File Upload Vulnerability and What are the different types of File Upload Vulnerability that may happen-
Generally, there are two types of file upload vulnerability that may take place. I am going to give them detailed names so that it makes your life easier to understand the basic difference between two of them.
Local file upload vulnerability-
In this type of vulnerability, the application let the user upload a malicious file and execute it.
Remote file upload vulnerability-
In this type of vulnerability, user input is used by the application to fetch a remote file from the Internet and storing it locally. The same file is then used by an attacker.
To understand these vulnerabilities in detail. Let us take a closer look at them, how they are made and how to prevent them.
Local File Upload Vulnerability
To study this vulnerability, let us look at the ‘wpshop’ plugin file upload vulnerability reported in early 2015. Here is the code that created the vulnerability:
|
1 |
$file = $_FILES[‘wpshop_file’]; |
|
|
2 |
$tmp_name = $file[‘tmp_name’]; |
|
|
3 |
$name = $file[“name”]; |
|
|
4 |
@move_uploaded_file($tmp_name, WPSHOP_UPLOAD_DIR.$name); |
|
You can find this code at line 620 of includes/ajax.php in version 1.3.9.5 of the plugin.
Let’s find out the problems, which leads to file upload vunreability.
Error 1:
We need to make sure that the user has signed in, and for that the authentication or authorization of the user needs to be taken before giving access to upload a file. This way, the attacker will not be able to upload any file to the website without permission.
You can prevent this error, by making sure that the user has authority to upload the files before processing them.
|
1 |
if (!current_user_can(‘upload_files’)) // Verify the current user can upload files |
|
2 |
wp_die(__(‘You do not have permission to upload files.’)); |
|
3 |
|
|
4 |
// Process file upload |
Error 2:
The files name has no sanitization on it which simply let the attacker upload a .php extension which can be executed latter from the web.
To avoid this, the built-in features of WordPress can be used by developers to sanitize the file name so that it does not have an extension that can execute code through web.
wp_check_filetype() will verify the file’s extension is allowed to be uploaded, and, by default, WordPress’s list of allowable file uploads prevents any executable code from being uploaded.
|
1 |
$fileInfo = wp_check_filetype(basename($_FILES[‘wpshop_file’][‘name’])); |
|
2 |
if (!empty($fileInfo[‘ext’])) { |
|
3 |
// This file is valid |
|
4 |
} else { |
|
5 |
// Invalid file |
|
6 |
} |
You can also further limit what is allowed by specifying the mime types allowed. Only images are allowed on this list.
|
1 |
// We are only allowing images |
|
2 |
$allowedMimes = array( |
|
3 |
‘jpg|jpeg|jpe’ => ‘image/jpeg’, |
|
4 |
‘gif’ => ‘image/gif’, |
|
5 |
‘png’ => ‘image/png’, |
|
6 |
); |
|
7 |
|
|
8 |
$fileInfo = wp_check_filetype(basename($_FILES[‘wpshop_file’][‘name’]), $allowedMimes); |
After checking the file name and making sure that it is safe, we can do the file upload using wordpress easy built in feature: wp_handle_upload().
|
1 |
$fileInfo = wp_check_filetype(basename($_FILES[‘wpshop_file’][‘name’])); |
|
2 |
|
3 |
if (!empty($fileInfo[‘type’])) { |
|
4 |
$uploadInfo = wp_handle_upload($_FILES[‘wpshop_file’], array( |
|
5 |
‘test_form’ => false, |
|
6 |
‘mimes’ => $allowedMimes, |
|
7 |
)); |
|
8 |
} |
Verify the uploaded content for security measures.
Verify your content before upload to make sure that the attackers are not trying to upload an executable PHP code. For an instance, you can check whether the image is a valid image or not by call the PHP getimagesize() function on the uploaded file.
This function reads the header information of the image and will not be valid for an invalid image. This is one more method to verify and keep a check on the content.
|
1 |
if (!@getimagesize($_FILES[‘wpshop_file’][‘tmp_name’])) |
|
2 |
wp_die(__(‘An invalid image was supplied.’)); |
Remote File Upload Vulnerability
This is another type of file upload vunerability where the the application is not uploaded directly from the visitors of the site, what they do is, they provide a url instead of a file which can be used by the application to fetch the file which can be used by the attacker and get acess to the site.
One of the common examples of Remote File Upload Vulnerability is Timthumb vulnerability which affected a lot of themes and plugins
How to avoid remote file upload vulnerabilities
This is also similar to avoiding the local file vulnerability.
- Specific file extensions are only allowed.
- Only allow authorized and authenticated users to use the feature.
- Check any file fetched from the Web for content. Make sure it is actually an image or whatever file type you expect.
- Serve fetched files from your application rather than directly via the web server.
- Store files in a non-public accessibly directory if you can.
- Write to the file when you store it to include a header that makes it non-executable.
Conclusion
As discussed above, file upload vunreability is an serious issue. But, once the developer is well aware about them they can be easily be tackled. There are many ways to avoid them and we can save our wordpress site by such issues.
Do You Want to Secure Web Hosting at affordable Get it From https://ElySapce.com Risk Free Money back guarantee . best web hosting in kashmir and ssd hosting in kashmir is elyspace or thehostz one of famous hosting provider since 2016
