-1

When it comes to uploading images on a website. I know you can trick the php to believe that the file is an image by changing the extension to ".jpg" from ".php". Then once the file is uploading you can use Tamper Data to change the file extension back to ".php".
The only way I can think of preventing this is comparing hashs, but i do not trust this method.
Is there a way to prevent files being tampered with during the upload proccess?

h4ck3r
  • 464
  • 1
  • 4
  • 9
  • Which hashes would you be comparing, and how does that allow you to validate anything? Also, why do you "not trust this method"? – OJ. Jul 06 '13 at 06:54
  • 3
    PHP will only start executing once the image is entirely posted to the server. You don't have to worry about anything on the client if you are validating the file upload on the server. – Sam152 Jul 06 '13 at 07:22
  • When I say comparing hashes I mean once the file is selected the server will create a hash then after the file is uploaded it will create another hash of the same file to see if it has been tampered with. I guess "not trust this method" isn't what I mean. I mean is there another way? – h4ck3r Jul 06 '13 at 07:49

1 Answers1

2

When I say comparing hashes I mean once the file is selected the server will create a hash then after the file is uploaded it will create another hash of the same file to see if it has been tampered with.

Firstly, you can't rely on anything on the client side. A malicious user could craft a POST request that simple sends the correct hash and the file. (This can be done with Tamper Data too)

Hashing protects against tampering only when the hash is more trustworthy than the file.

To secure this, teach whatever script you have on the backend to reject executables (Even better, allow only from a small subset of extensions). So you can just check if the received file name is of an image type. An attacker cannot spoof that without already having access to your server.

If you want more security, you can validate that it is an image by passing it through some image parsing function.

Note that your server should be set up so that any and all uploads are stored in such a way that they cannot be executed (Making the directory static in Apache will partially help this, you need to protect against file inclusion as well).

Manishearth
  • 8,237
  • 5
  • 34
  • 56
  • Even in a static directory, a PHP file with a .jpg extension can be used for local file inclusion and as the target for a remote file inclusion on someone else's server. You should *always* validate images by parsing. (And hope there are no bugs in the parser.) – Ladadadada Jul 06 '13 at 11:57
  • @Ladadadada Hmm, true. – Manishearth Jul 06 '13 at 12:02