Image upload and risks - questions

[tryingtolearn]

Hi all

I am building a tinymce image management plugin for a group

 

I'm trying to minimize the risks as much as possible with their current setup- No database, no access outside their folder etc...

But reading through the different topics I read a few posts about scripts being added inside the images that can be executed once the images is called.

 

Now, my "Hacking skills" must not be up to par because I tried doing this on my own just to test and I cant seem to make it work..

 

so my question is

 

Will uploading and resizing the image with imagecopyresampled or something reduce/remove the threat?

Not exactly sure how the "malicious" scripts are carried and then executed.

 

Thanks for any info you may be able to provide.

 

(I have read alot of threads in the forum on upload security and seems there are a few different thoughts that differ - so Im not trying to start a debate on that! just curious about the "Hidden File" issue)

 

 

[scootstah]

You need to check the MIME type of the uploaded file. No, that doesn't mean look in the $_FILES data for it. You need to use something like finfo.

 

For additional security measures, I like to disable script execution in the upload directory. You can do this in your Apache config, although I don't know the syntax off the top of my head.

[tryingtolearn]

Thanks scootstah

I was under the impression that the executable files could be placed in the image while leaving a valid mime type.

Ill look into that but not sure how that will tell me if something is present.

 

Yes I will disable script execution I was just wondering if there was a way to eliminate the file all together if present by recreating the image.

 

Don't know enough about it to build a legitimate defense to it so just trying to get more informed. Thanks again.  

[scootstah]

I wasn't sure, so I just made a quick test. I found a jpeg image that had phpinfo() embedded. It is both a valid jpeg image and a valid PHP script. If I do include 'image.jpg';, it will execute phpinfo(). If I view the image, it is still a valid picture.

 

I used imagecopyresampled and saved a new image which removed the PHP code and is now only a valid image.

 

So, it seems that indeed recreating the image with PHP would remove any malicious code.

 

The important thing though is that you only ever treat an image as an image. As long as you do that it shouldn't really matter.

[tryingtolearn]

Good to know and thanks for the test (Thats what I was trying to do but couldnt seem to make it work - shameful!!)

 

I appreciate it.

[JackTheRipper]

You should also note that checking the file extensions like .png, .jpg, .gif won't help at all. Anyone can make a plain text file. Put executable commands into it. Change the file extension to .png, .jpg, or .gif and upload it to your server. That would make your server vulnerable to the max.

 

What I suggest is to check for the mime type. Every file has it's own type. If it was originally created using a photo editor, it'll have the mime type of image/png, image/jpg, image/gif.

 

If someone created a plain text file and changed the file extension, the mime type of that file will always and forever remain the same. So it would always have a mime type of text/plain even though it's file extension is .png, .jpg, or .gif. This helps prevent people from uploading the wrong files or the wrong file type if you only want a specific type of file.

[tryingtolearn]

Thanks JackTheRipper

Yes, all the "standard" checks are being done, I was mainly concerned with code being inserted in an image and then being executed not a script loaded as an image.

 

Poor choice of a title on my part

I appreciate the input..