I have a rails app (v4.2). I have two actions that permit an image upload using paperclip. I have paperclip validation on the mime types.
Anti-malware on the server found a bunch of PHP files in /tmp like this one:
/tmp/RackMultipart20190610-9668-u9nebk.php
I assume they are created in the file upload process.
Two questions:
How can I track down where they came from? Looking in my production.log, I see a bunch of 404s for posts to bogus joomla & wordpress .php paths but nothing that could have been responsible for these uploads.
How can I prevent them in the future?
I'm using rack attack and can block .php file extensions but how can I block file uploads in forms?
We have two places where signed in members can upload images or PDFs. How can I block all other attempts to upload files?
File uploading by-pass is a common technique for uploading webshell's and other stuff.
There are 2 basic methods that will help you to decrease the amount of file uploaded to your server:
MIME Content-type validation: If you validate the content-type of the uploaded file you (since you just want images) you can assure that only image-type files are uploaded:
But this still can be bypassed, so you need to add another verification:
File extension validation: You also should add a file extension validation to assure you only permit image-type extensions to your upload.
I've find a cool post where it shows a good implementation of file extension validation: https://stevenyue.com/blogs/validate-attachment-file-size-and-type-in-rails/
Make sure you implement both of these techniques and you should be fine.