I have a problem involving PHP and permission 777. On my server, there is an upload folder with 777 permission, and a hacker was able to upload a file .php to that folder, which changed everything that was on my server . I would like to know how this is done and how I can avoid this vulnerability.
Problems with 777 and PHP permissions
0
asked by anonymous 27.05.2015 / 15:42
1 answer
3
Here are some security tips when working with file uploads in php:
- Store the upload files outside the root directory of your web application. This way the files can not be accessed directly by the browser.
- Do not store the upload file with the same name as the upload form. Generate a random name and control it in a database.
-
Make sure the mime-type of the file matches the type of file you want to receive as upload. Do not rely only on the file extension or HTTP content-type header. For example, if you want to make sure that the upload file is an image of type gif:
<?php $finfo = finfo_open(FILEINFO_MIME_TYPE); $mime_type = finfo_file($finfo, "image.gif"); finfo_close($finfo); if($mime_type == 'image/gif') { // arquivo é gif }
27.05.2015 / 17:15