Aytek Aytek - 15 days ago 7
PHP Question

Force image download - .php files download

this is my download.php;

session_start();
$file = $_GET['file'];

download_file($file);
function download_file( $fullPath ){

// Must be fresh start
if( headers_sent() )
die('Headers Sent');

// Required for some browsers
if(ini_get('zlib.output_compression'))
ini_set('zlib.output_compression', 'Off');

// File Exists?
if( file_exists($fullPath) ){

// Parse Info / Get Extension
$fsize = filesize($fullPath);
$path_parts = pathinfo($fullPath);
$ext = strtolower($path_parts["extension"]);

// Determine Content Type
switch ($ext) {
case "pdf": $ctype="application/pdf"; break;
case "exe": $ctype="application/octet-stream"; break;
case "zip": $ctype="application/zip"; break;
case "doc": $ctype="application/msword"; break;
case "xls": $ctype="application/vnd.ms-excel"; break;
case "ppt": $ctype="application/vnd.ms-powerpoint"; break;
case "gif": $ctype="image/gif"; break;
case "png": $ctype="image/png"; break;
case "jpeg":
case "jpg": $ctype="image/jpg"; break;
default: $ctype="application/force-download";
}

header("Pragma: public"); // required
header("Expires: 0");
header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
header("Cache-Control: private",false); // required for certain browsers
header("Content-Type: $ctype");
header("Content-Disposition: attachment; filename=\"".$_REQUEST["isim"]."\";" );
header("Content-Transfer-Encoding: binary");
header("Content-Length: ".$fsize);
ob_clean();
flush();
readfile( $fullPath );

} else
die('File Not Found');

}


This is forced jpg download file. But this file can download all .php files.

Normaly i use this download link and download image;
http://domain.net/download.php?file=wp-content/uploads/2016/04/10/126379-fantasy_art.jpg

But then i tested this link download my config file...
http://domain.net/download.php?file=wp-config.php

I think this is big vulnerable.

How can i fix this? i dont want download any .php files...

Thanks..

Answer

Use default in your switch case to avoid this problem:

Remove this:

default: $ctype="application/force-download";

For this: default: die('File not found'); or default: return false;

Also you could check if path makes sense, like it should be a subfolder of uploads. This post has some info for you: Test if a directory is a sub directory of another folder