Remediation Of RCE or Restricted Unsupported file upload
RCE is Remote code Execution is where attacker gain server control by upload unsupported file or .php file upload. with the help of attacker can edit, update or delete file in server remotely and steal confidential data
How to Restrict Unsupported file upload
- Always check file extension.
lets suppose you want to upload profile picture of user so, always check image extension (.png, .jpeg, .jpg)
if($imageFileType != "jpg" && $imageFileType != "png" && $imageFileType != "jpeg"
&& $imageFileType != "gif" ) {
echo "Sorry, only JPG, JPEG, PNG & GIF files are allowed.";
$uploadOk = 0;
}2. Always check content-type of file
Attacker always manipulate content-type for uploading unrestricted file
if(isset($_POST["submit"])) {
$check = getimagesize($_FILES["fileToUpload"]["tmp_name"]);
if($check !== false) {
echo "File is an image - " . $check["mime"] . ".";
$uploadOk = 1;
} else {
echo "File is not an image.";
$uploadOk = 0;
}
}3. Check file name is content double extension?
Attacker can be upload file with double extension like developer wants user only upload image file (.png, .jpg) but attacker can be add addition extension (.php.png, .php.jpeg) and upload on server
$file_name=$_FILES["fileToUpload"]["name"];
$split_filename = explode(".",$file_name);
$check_double_exe = count($split_filename);
if($check_double_exe == 2){
$uploadOk = 1;
}else{
echo " No Extenstion allow more then one ";
$uploadOk = 0;
} 4. Remove space or change file name in file.
Attacker create file name “file_name.php%00.png” and upload on server so, developer need to remove user upload file name and change file name.
5. Remove Meta data from Image.
Image content many things and attacker can change meta data of image and add php code inside in meta data.
$my_exif_data = exif_read_data( $file_name );
print_r( $my_exif_data.destroy() );
