andz Posted July 13, 2009 Share Posted July 13, 2009 When creating an image upload. I found this code on the internet and said that this can trigger a javascript on IE browser. Here's the code. \x89\x50\x4E\x47\x0D\x0A\x1A\x0A\x00\x00\x00\x0DPHCK\x00\x00\x00\x01\x00\x00\x00\x01 <html><body><script>alert(window.document.cookie);</script></body></html> save it as image-name.jpg Is there any solution on php side to prevent that from being uploaded on the server? Thanks. Link to comment https://forums.phpfreaks.com/topic/165820-solved-having-problem-with-image-upload-hack/ Share on other sites More sharing options...
phporcaffeine Posted July 13, 2009 Share Posted July 13, 2009 So you are trying to prevent users from uploading something to your server? A file upload? Can you be a little more specific? Link to comment https://forums.phpfreaks.com/topic/165820-solved-having-problem-with-image-upload-hack/#findComment-874628 Share on other sites More sharing options...
andz Posted July 13, 2009 Author Share Posted July 13, 2009 I want users to upload pictures on server specifically the file will reside on uploaded/ folder. Now, i want them to only upload true images and not this codes that will cause problem to me. \x89\x50\x4E\x47\x0D\x0A\x1A\x0A\x00\x00\x00\x0DPHCK\x00\x00\x00\x01\x00\x00\x00\x01 <html><body><script>alert(window.document.cookie);</script></body></html> Are there any remedy for this one? Link to comment https://forums.phpfreaks.com/topic/165820-solved-having-problem-with-image-upload-hack/#findComment-874640 Share on other sites More sharing options...
pkedpker Posted July 13, 2009 Share Posted July 13, 2009 \x89\x50\x4E\x47\x0D\x0A\x1A\x0A\x00\x00\x00\x0DPHCK\x00\x00\x00\x01\x00\x00\x00\x01 <html><body><script>alert(window.document.cookie);</script></body></html> is the PE Header for PNG file so it tricks the browser thinking it's loading a PNG file.. i think i'd use header() for this.. header("Content-type: image/png"); Link to comment https://forums.phpfreaks.com/topic/165820-solved-having-problem-with-image-upload-hack/#findComment-874691 Share on other sites More sharing options...
phporcaffeine Posted July 13, 2009 Share Posted July 13, 2009 You could also break out a RegEx manual and then file_get_contents() the upload a do a regex search for the PE header. That is a more definitive solution but just verifying the mime type should do the trick. Link to comment https://forums.phpfreaks.com/topic/165820-solved-having-problem-with-image-upload-hack/#findComment-874702 Share on other sites More sharing options...
andz Posted July 13, 2009 Author Share Posted July 13, 2009 it passed the CONTENT-TYPE: image/png i have the solution. by using getimagesize(); $upload = getimagesize($_FILES['upload']['tmp_name']); if (!intval($upload[0]) || !intval($upload[1])) { // render error message here. } else { // upload } even it bypass the content-type, still when checking its width and height, it returned null so that's my basis for my solution. any better solution? Link to comment https://forums.phpfreaks.com/topic/165820-solved-having-problem-with-image-upload-hack/#findComment-874733 Share on other sites More sharing options...
phporcaffeine Posted July 13, 2009 Share Posted July 13, 2009 The only other thing I can think of is to RegEx the PE Header inside the content of the upload. Link to comment https://forums.phpfreaks.com/topic/165820-solved-having-problem-with-image-upload-hack/#findComment-874751 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.