File Upload: A Security Question

[suttercain]

Hi guys,

 

Quick question. I have built a simple file upload form which allows a user to upload a single JPEG image. I check to make sure the file size is smaller than 250k and that it is in fact a jpeg image. My question is, can someone upload an .exe file as a .jpg file and actually have it execute some how?

 

Thanks.

[atlanta]

If you actually have php check the filesize and type then no.. but if you only where the html form tries to validate the size and type then yes

[cooldude832]

they couldn't execute a jpeg as a .exe on your server.  Sure you could hide a .exe in a jpeg, download the file and use its binaries to create that program, but it couldn't "execute" on your server.  This was on that show num3ers, where jpegs where encoded with a program that let you decrypt the image to a secondary image, but you can't do it on your server as your server can't execute anything other than what pages they land on.  Now if you are to recreate the upload, which I advise you do (even if you don't resize just recreate ), it should destroy the illegal binaries and atetmpt to write correct jpeg ones, resulting in a corupt image.

[Wuhtzu]

You can't execute an executable file via a call like http://domain.com/executable_file.exe.

 

But you should make sure they do not upload .exe files just by renaming them to .jpg. Use exif_imagetype() to validate the image type:

 

 

<?php
if(exif_imagetype($image) == 2) {
  echo "$image is a valud JPEG image";
}
else {
  echo "$image is _not_ a valid JPEG image";
}
?>

 

The exif_imagetype function actually reads some bytes from the file and use them to determine which format a picture is. You can't fool it by renaming a .exe-file to .jpg.

 

http://dk2.php.net/manual/en/function.exif-imagetype.php

 

It is a lot better than simply validating the extension of a file.