Al wrote:
> Thanks guys.
>
> I had written a newer version restricted to images which checks MIME and
> image width and height.
>
> I have one application which needs a text file. I think I'll have my
> users hide a password in it and scan the whole file for <? an <?php and
> other signs of scripts, etc.
>
> Al wrote:
>> One of my sites has been hacked and I'm trying to find the hole. The
>> hack code creates dirs with "nobody" ownership, so it's obvious stuff
>> is not via ftp [ownership would be foo]
>>
>> Site is virtual host, Linux/Apache
>>
>> I'm concerned about a file uploader my users use to upload photos.
>>
>> Can anyone see a hole in this scrip? Can my code upload an executable
>> masquerading as an image file?
>>
You probably need a deeper inspection than checking the extension - that's
Microsoft thinking...
You can't trust what the client is telling you - even the MIME type sent by the
browser is no guarantee.
Since you're on Linux, why not look at using the 'file' shell command to get a
more detailed inspection of the upload.
I made a basic function like this a few years ago - probably needs a bit of
tweaking:

<?php
function getMimeType($file)
{
global $magicFile;
$mimecmd = "/usr/bin/file -b -m ".escapeshellargs($magicFile)."
".escapeshellargs($file)." 2> /dev/null";
$ret = exec($mimecmd);
if (!$ret)
{
$ret = "unknown";
}
return $ret;
}
?>

The global $magicFile is the tricky bit - you need to find a nice Unix magic
numbers file that returns mime types (they're easier to parse than regular magic
number responses). Probably something like /usr/share/misc/magic.mime, but that
depends on the system.


--
Peter Ford phone: 01580 893333
Developer fax: 01580 893399
Justcroft International Ltd., Staplehurst, Kent