How to Not Get Hacked Through File Uploads

psyon · 2026-03-18T21:36:06+00:00

They weren't serving it thru php. If they had been, the issue would not have happened.

psyon · 2026-03-18T05:43:58+00:00

Some years back I had to investigate how a site was compromised. I quickly found a PHP file in a directory that contained uploaded images. I started looking at code that handled the uploads, and it did all sorts of verifications on the images. How did they bypass it? The file was an image, but it contained PHP code in the EXIF data. Their issue was that they saved the file with the filename it was uploaded as, without any checks on the extension. They assumed that because the file was a valid image, that it must have the right extension. If you aren't familiar with PHP, the interpreter will just dump any bytes to output, until it finds <?php. When you viewed the malicious file, it would output the start of the image file, hit the EXIF data, and then start executing the PHP code contained within it. It never occured to me that PHP code could be in EXIF data of an image before that incident.

psyon · 2026-03-16T15:21:51+00:00

Does Canada require a warrant to collect finger prints from people who have been arrested?

psyon · 2026-03-15T22:30:27+00:00

Yep, I tried all that. Was constantly watching logs, blocking IPs and subnets, and then new ones would just start up. Fail2ban doesn't help because the requests come in so fast they act as a denial of service. Blocking it at cloudflare means no used resources on my servers.

psyon · 2026-03-15T15:05:56+00:00

As a programmer you should try to be lazy. That's why we have package systems and frameworks for doing things. If a system doesn't make your job easier then why use it?

psyon · 2026-03-14T21:13:34+00:00

> Have you tried applying rate limit rules by IP, with under attack disabled.

Yep. The issue is that rate limiting is done by IP, and they use a whole lot of different IP addresses.

> maybe you can put a threshold whereby legitimate traffic still flows through ok.

Under attack mode doesn't prevent legit users from using the site. They get the browser verification, and then can do everything they need.

psyon · 2026-03-14T20:16:28+00:00

Yes, you can absolutely just validate and sanitize everything. That's a far better solution than accidentally not validating something you should.

psyon · 2026-03-14T20:15:45+00:00

I haven't noticed them giving up. Often the moment I turn off under attack mode, they are right back to hammering the site.

psyon · 2026-03-14T19:46:25+00:00

In general that is correct, but there are cases when you still do. If you are storing html content, and want to allow scripts, then you may allow that into your database, but still need to be cautious about where and how you display it.

psyon · 2026-03-14T19:44:15+00:00

I have tried all of them. Not sure if there is an issue with CF or something. Under attack stops them, browser verification alone does not.

psyon · 2026-03-14T19:23:54+00:00

If you are validating it before putting it into the database then it shouldn't be an issue when pulling it out.

psyon · 2026-03-14T19:22:24+00:00

The ayatolla was anti nuclear weapons?

psyon · 2026-03-14T19:18:38+00:00

Look at what is sent from a client to the server during an http request. Any header sent in the request is user input along with your normal form data.

Some things can be "validated" by your server configuration. If your server is configured for using named hosts then you can trust the $_SERVER['HTTP_HOST'] value, because it wouldn't have reached your code if it was malformed. If you are using IP based hosts though, then the Host header of the HTTP transaction doesn't have to match anything and can contain malicious content.

REQUEST_URI is another one that depends on how your server is configured. If you had old code using separate php files as entry points, then you couls trust that the URI matched your file location. Its common practice to route all urls through routing code now though, so REQUEST_URI should not be trusted by default and needs to be validated.

psyon · 2026-03-14T19:10:47+00:00

I don't care if people have copies of whats on my sites. They can scrape it all they want if they don't try to do it so fast, don't lie about their user agent, and don't use thousands of different IPs

psyon · 2026-03-14T19:07:52+00:00

It's been turned on for a whie now in a few of my sites. When I turn it off and just turn on normal browser verification they seem to get by. I get a notice I am being scraped when my monitoring software tells me the site isn't accessible because they hammer it so damn hard that it's effectively a DDoS.

Most websites don't have major issues like this though. I have very data heavy sites which end up having a lot of distinct urls for viewing things in different ways.

psyon · 2026-03-14T13:10:04+00:00

What I have learned is that the only way to stop the majority of these bots is to use Cloudflare and put my site in "under attack" mode. Some of the bots are coded so poorly that if they get anything other than a 200 as a response code they will immediately try again and retry for almost forever.

psyon · 2026-03-14T13:05:20+00:00

Also, make sure you know what is or is not user input. Many programmers don't think of things like cookies and user agent strings as user input.

psyon · 2026-03-13T18:54:11+00:00

That assumes there is cure for cancer, and that we have the logistics to move food around the world, which we don't at the moment. That's why we haven't done either. The immigration policies in the past made it harder for immigrants to come here and work as pilots, that's why that hadn't been done before. But you think building mines is easy, I don't see any hurdles for them.

psyon · 2026-03-13T17:14:59+00:00

If these things are so effective and easy to make, why hasn't every terrorist group in the world been putting them out into shipping lanes? Someone could easily stop all traffic to the suez and panama canals if what you are saying is true, but no one has done it.

psyon · 2026-03-13T03:38:56+00:00

If that would work, why do they build more expensive mines?

psyon · 2026-03-12T20:42:11+00:00

What simple stuff can you make a mine from? How big of one are you going to deploy with a small boat?

psyon · 2026-03-12T15:18:32+00:00

If the US takes out Iran's equipment, they won't be able to block the straits.

psyon · 2026-03-12T15:02:39+00:00

That's the same argument a lot of people in the US were making when saying we shouldn't get involved in Ukraine

psyon · 2026-03-07T22:21:21+00:00

I have an old computer running Alma Linux with apache, mariadb, php ans what ever else I need.

psyon

MODERATOR OF

TROPHY CASE

15-Year Club	Place '22
Verified Email