PHP shell upload IV

The understanding of the systems architecture is essential to analize its security. PHP file upload architecture: 1. Files are transferred from client filesystem to server RAM.
2. Apache process will check httpd.conf and php.ini directives.
3. Once completed, file will be dumped into the server's default temporary directory, unless another location has been given with the upload_tmp_dir directive in php.ini. The temporary directory used for storing files must be writable by apache user.
4. After a correct transfer, if track_vars is enabled (always since 4.0.3), $_FILES superglobal array is defined (is available in all scopes throughout a script. There is no need to do global $variable; to access it within functions or methods). Only name and type are provided by the user, and therefore tmp_name, error, and size are provided by PHP. The related variables will be initialized as globals if register_globals is enabled (must be desactivated).
5. The control is given to the php script to move the file to another location. If not, the temp file will be automatically unlinked at the end of the script.

Directives: * max_file_size: PHP checks the existance of a form field named "max_file_size" (upper case is also OK), which should contain an integer with the maximum number of bytes allowed. If the uploaded file is bigger than the integer in this field, PHP disallows this upload and presents an error code in the $_FILES Array (2).

httpd.conf: * LimitRequestBody: Specifies the number of bytes from 0 (meaning unlimited) to 2147483647 (2GB) that are allowed in a request body. If the client request exceeds that limit, the server will return an error response instead of servicing the request.May be useful for avoiding some forms of denial-of-service attacks.

php.ini: * file_uploads: Whether or not to allow HTTP file uploads. * upload_max_filesize: The maximum size of an uploaded file in bytes. * post_max_size: Sets max size of post data allowed in bytes. If the size of post data is greater than post_max_size, the $_FILES superglobal is empty. * memory_limit: Sets the maximum amount of memory in bytes that a script is allowed to allocate. This helps prevent poorly written scripts for eating up all available memory on a server. Note that to have no memory limit, set this directive to -1.

$_FILES['userfile']['error']: * UPLOAD_ERR_OK : Value 0 : File uploaded successfully. * UPLOAD_ERR_INI_SIZE : Value 1 : File size exceeded php.ini value. * UPLOAD_ERR_FORM_SIZE : Value 2 : File size exceeded MAX_FILE_SIZE form value. * UPLOAD_ERR_PARTIAL : Value 3 : File was only partially uploaded. * UPLOAD_ERR_NO_FILE : Value 4 : No file was uploaded.

Category:

Science & Technology

Tags:

• php
• upload
• architecture
• shell

License:

Standard YouTube License