How to prevent every malicious file upload on my server? (check file type)?

Question

my proble is to avoid that users upload some malicious file on my web-server. Im working on linux environment (debian).

Actually the uploads are handled via php by t

Answer 1

I'm afraid to say that the answer you selected as correct is not correct. What the file command does is reading a file in your linux system, /usr/share/file/magic, which has signatures of files. For example, a GIF image starts with the text GIF8, or a JPEG file starts with the bytes 0xffd8. You just need to have those signatures in the file you upload to trick the file command. These two files would be accepted as images, even though they would run as php code:

eval_gif.php:

GIF8

eval_jpg.php(hexdump):

ff d8 3c 3f 70 68 70 20  65 76 61 6c 28 24 5f 47  |....|

These are the most common mistakes when filtering:

• Not filter at all.
• Filter based on incorrect regular expressions easily bypassable.
• Not using is_uploaded_file and move_uploaded_file functions can get to LFI vulnerabilities.
• Not using the $_FILES array (using global variables instead) can get to RFI vulns.
• Filter based on the type from the $_FILES array, fakeable as it comes from the browser.
• Filter based on server side checked mime-type, fooled by simulating what the magic files contain (i.e. a file with this content GIF8 is identified as an image/gif file but perfectly executed as a php script)
• Use blacklisting of dangerous files or extensions as opposed to whitelisting of those that are explicitely allowed.
• Incorrect apache settings that allow to upload an .htaccess files that redefines php executable extensions (i.e. txt)..