This weekend was my website offline for 3 hours because my hosting provider has detected a malicious file inside the upload directory I use for some PHP upload demo on my website. This breach was (also) possible because I forgot several month ago to update a CRON job that deletes all upload files frequently. The downtime takes 3 hours because it was in the middle of the night based in the timezone where I live. After I removed that malicious file, my web hosting provider Webfaction enabled my website within just a few minutes.
MIME type detection during uploads
How was it possible that someone was able to upload a malicious file? My PHP upload demo is using the PHP upload classI have written several years ago. This “old” PHP class is a script that I’m still using for many custom scripts and websites. MIME type detection was available for version 2.33 which was released more than two years, but it seems my demo wasn’t using that feature. The validation for the file extension worked fine and the malicious file was a JPG file.
The old MIME type detection was based on the PHP function mime_content_type() which is marked as depreciated since a while. In the latest version of my upload script, the complete MIME type function is rewritten and supports now the Fileinfo extension for PHP 5. The new class method get_mime_type() still supports the old function mime_content_type() as a kind of fallback for older scripts.
Check MIME type is always ON now
In the previous version it was necessary to enable the MIME type detection during upload and that was also the reason why my upload demo failed. You need to set the new variable $validate_mime to “false” if your web host doesn’t support one of the MIME type detection functions. The Fileinfo extension is enabled by default since PHP version 5.3 and should be available on most web hosts.
Other updates for PHP Upload Class 2.34
Beside the new method, I have updated the way how the file’s MIME type is checked during upload. While testing I noticed that the old REGEX pattern, which is used to validate a “valid” file name, has some bugs. The pattern is updated and should work for all regular file names now. Furthermore got the class script some code clean-up. The updated PHP class should work for older upload scripts which are created with the class version 2.x. Try the updated PHP Upload demo or download the updated version here.