0
I have a problem involving PHP and 777 permission. On my server, there is an uploads folder with permission 777, and a hacker managed to upload a file .php in that folder, which changed everything that was on my server. I would like to know how to do this and how I can avoid this vulnerability.
3
Here are some safety tips when working with upload files in php:
Check that the mime-type of the file matches the type of file you want to upload. Don’t just rely on the file extension or the HTTP Content-type header. For example, if you want to ensure that the upload file is a gif image:
<?php
$finfo = finfo_open(FILEINFO_MIME_TYPE);
$mime_type = finfo_file($finfo, "image.gif");
finfo_close($finfo);
if($mime_type == 'image/gif') {
// arquivo é gif
}
Browser other questions tagged php server
You are not signed in. Login or sign up in order to post.
You need to bar the upload by extension. The issue that you cannot allow the upload of a file is . php, . py, etc. Because these files are interpreted by the server when requested. Your upload function needs to be handled to prevent these files from being uploaded.
– Skywalker
Thank you, you helped me so much so I think that should be because my script is without this filter.
– mikaellemos033
For example, if you need to upload photos, then put the filter for files that end with the name (.jpeg, .png, .jpg, .bmp, etc.), otherwise the upload cannot be done.
– Skywalker
As the hack has already been done advise, change root user name of the database, if you have ssh access, change user name and password.
– Skywalker
you also work with that permission or you think it is unnecessary?
– mikaellemos033