Have Geek Brain

Block executable images from loading (PHP)

It occurred to me that the user is trying to create an exploit by uploading avatar images. This was discovered when a user informed me that they were receiving a notification from their Norton antivirus saying "HTTP Suspicious Executable Image Download". This warning referred to the user's avatar image. I don't think they have actually accomplished anything to steal information or anything like that, but my guess is that it is possible if the hole is left open long enough. I am using PHP to upload image files and I check if the file is png, jpg, bmp or gif loaded.

This is the code that checks if it is an image:

$allow_types = array('image/jpeg', 'image/png', 'image/gif', 'image/jpg', 'image/png', 'image/bmp', 'image/bitmap');
if (in_array($this->tmp_image['type'], 
$this->allow_types)) {
   return true;
}
+2


a source to share


4 answers


It is not possible to prevent the download of malicious files. What you need to pay attention to is how you handle these files.

Recommendations such as re-saving the image file are doomed. You can work around this manipulation by ordering the bits so that they are in the order the attacker wants after running the known image compressor.

There are so many ways to combine images and malicious files. The malicious file can be executable or contain JavaScript that is interpreted by the browser. Also, how should you re-save files that are not an image type?



When handling file uploads, take care of the following.

  • Limit the number of bytes to download per user to keep your server running out of space.

  • Limit the number of uploads per user so your server doesn't end up with inodes.

  • Store files above your document root so they are not directly accessible.

  • Serve your files through a PHP proxy script, write something like:

    $data = file_get_contents('/home/account/files/file.png');
header('Content-Type: image/png');
header('Content-Length: '. strlen($data));
header('X-Content-Type-Options: nosniff');
echo $data;

  • Rename the downloaded files to have a completely random name with no extension. If you need to store the filename (and extension / type), store the data in a database.

  • If necessary, upload files only when the user has permission to use it.

  • Never include / execute the files you downloaded. This means that it is not required or required in PHP. No HTML script tags or style tags including these. No Apache Include commands including them. Etc.

  • If at all possible, open files from another source. This fixes origin issues that occur primarily in Flash. Using a different port, domain name or IP address is fine too. Serving from subdomains is dangerous and with IP addresses the implementation becomes a little more complicated (i.e. you cannot serve files through a domain, only through IP, and you cannot serve a site through an IP but through a domain).

  • Beware of LFI and RFI. Rename the filenames before using the filename within functions like fopen()

    , read()

    etc, and check / misinform any directory values ​​as needed.

+6


a source


The simplest solution is to resample the image. Get simple image management (GD) and reload the save image, it should effectively hide any executable content or just crash if the image is just renamed by the exe.



+2


a source


use imagecreatefromjpeg

(and others imagecreatefrom *) to check that the passed data is the actual image. exe won't work.

0


a source


I think the best approach would be to check that the file is an image on upload. if it is not there, then a user error, as well as with any other unverified input data

see this link http://www.bitrepository.com/how-to-validate-an-image-upload.html

0


a source






More articles:


All Articles