Jump to content

File Upload: A Security Question


suttercain

Recommended Posts

Hi guys,

 

Quick question. I have built a simple file upload form which allows a user to upload a single JPEG image. I check to make sure the file size is smaller than 250k and that it is in fact a jpeg image. My question is, can someone upload an .exe file as a .jpg file and actually have it execute some how?

 

Thanks.

Link to comment
https://forums.phpfreaks.com/topic/76079-file-upload-a-security-question/
Share on other sites

they couldn't execute a jpeg as a .exe on your server.  Sure you could hide a .exe in a jpeg, download the file and use its binaries to create that program, but it couldn't "execute" on your server.  This was on that show num3ers, where jpegs where encoded with a program that let you decrypt the image to a secondary image, but you can't do it on your server as your server can't execute anything other than what pages they land on.  Now if you are to recreate the upload, which I advise you do (even if you don't resize just recreate ), it should destroy the illegal binaries and atetmpt to write correct jpeg ones, resulting in a corupt image.

You can't execute an executable file via a call like http://domain.com/executable_file.exe.

 

But you should make sure they do not upload .exe files just by renaming them to .jpg. Use exif_imagetype() to validate the image type:

 

 

<?php
if(exif_imagetype($image) == 2) {
  echo "$image is a valud JPEG image";
}
else {
  echo "$image is _not_ a valid JPEG image";
}
?>

 

The exif_imagetype function actually reads some bytes from the file and use them to determine which format a picture is. You can't fool it by renaming a .exe-file to .jpg.

 

http://dk2.php.net/manual/en/function.exif-imagetype.php

 

It is a lot better than simply validating the extension of a file.

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.