Home About Articles Contact Library Projects

Consortium News

Fri, 20 Oct 2006
PHP Security Consortium Launches New Project - PHPSecInfo

Wed, 16 Nov 2005
Daniel Convissor Elected as Principal

Promotional Links

Please support us by providing a link to the PHP Security Consortium on your web site. You can also use our promotional image:

PhpSecInfo Test Information

file_uploads

Test Description

This test determines if file uploads are enabled in PHP.

Security Implications

When you allow files to be uploaded to your system you assume a number of risks, files may not be what the appear (executables masquerading as images, php scripts uploaded and moved to a location where they may be run, et-cetera). If your site doesn't actually require file uploads, disabling this will prevent files from being accepted inadvertently.

Recommendations

If users of your application do not need to upload files, turn this feature off.

In php.ini:

; Disable file_uploads for security reasons
file_uploads = 'off'

The setting can also be disabled in apache's httpd.conf file:

# Disable file_uploads for security reasons
php_flag  file_uploads  off

More Information

PHP.net manual: file_uploads

« Test information index

Get PhpSecInfo

Download Now »

Version: 0.2.1 20070406
md5 hash

Documentation

Mailing List »

Screenshots:

PhpSecInfo screenshot

PhpSecInfo screenshot