[FIXED] File upload security vulnerability

Issue

Is there any file upload security vulnerability in my code? I am using apache in my server side. File upload is enabled in php.ini file.

<?php
if ($_FILES["file"]["size"] < 100000)//maximum upload size is 100 kb
{
    if ($_FILES["file"]["error"] > 0)
    {
      echo "Return Code: " . $_FILES["file"]["error"] . "<br />";
    }
    else
    {
    if (file_exists("upload/" . $_FILES["file"]["name"]))
    {
      echo $_FILES["file"]["name"] . " already exists. ";
    }
    else
    {
      move_uploaded_file($_FILES["file"]["tmp_name"],"upload/" . $_FILES["file"]["name"]);
$var="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
$samp=str_shuffle($var);
$pass=substr($samp,0,20);// creating a random text for file name.
$ext = pathinfo($_FILES["file"]["name"], PATHINFO_EXTENSION);
$ext=".{$ext}";
$newfilename="upload/".$pass.$ext;
rename("upload/".$_FILES["file"]["name"],$newfilename );
    echo "Stored in: " . $newfilename;
echo "<br>extension : ".$ext;
  }
}
}
else
  echo "File size is too large..";
?>

Solution

Potentially, yes.

What would happen if someone uploaded a PHP file? Would they be able to determine the filename, file URL, and run the PHP file?

If so, that program could use the scandir() function to get a list of all your filenames.

To prevent this, you could store the files outside DocumentRoot path, refuse to accept .php files, or use .htaccess to turn the PHP engine off in that directory.

Answered By - user984869