False Uploads

From SecurePHPWiki
Jump to: navigation, search

A malicious user can modify variables that may cause PHP to display a dangerous file such as /etc/passwd or copy that file to a viewable location. This could be avoided using the same means as described above, but because of the severity of the problem, there are a few other things that can help prevent this.

Use PHP’s is_uploaded_file and move_uploaded_file functions to ensure that you are indeed working with the uploaded file. Also, set upload_tmp_dir to a secure location and perform checks to ensure you are working in this directory.