2

I have a program that will accept and fetch images from urls. It will check if the extension is .png, .jpg, etc...

I will fetch these files and store them, they will be shown to users in a gallery (like Imgur and TinyPic). I can't trust these files to be images.

  • How can I verify that those images are actually images and not, for instance, a php shell script?
  • If I do this, will I have other security risks?

I know there is a magic number for files, so how would I be able to verify this? (language would be python).

Andrei Botalov
  • 5,317
  • 10
  • 46
  • 73
Lucas Kauffman
  • 54,229
  • 17
  • 113
  • 196

4 Answers4

3

An image might still be a valid image and still contain malicious material such as embedded comments or other (undefined) attack vectors. One -- albeit old -- example was the GDI JPEG vulnerability in Windows from 2004.

I think your primary concern is to ensure that your image-acceptance mechanism is simple and tight. You'll want to watch for file permission errors, resource exhaustion (running out of space, tying up network resource, etc.) and path attacks (eg. potentially overwriting files).

Furthermore, ensure that any string-handling checks are strictly and precisely defined. There was a recent question on sec.SE regarding attacking ASP upload code that used a less strict string searching mechanism.

Finally, search this site for the term "upload". Some fine examples which can give you a clear picture (no pun intended!) of all of the challenges you may face:

logicalscope
  • 6,354
  • 3
  • 26
  • 39
3

I agree it is tricky to secure yourself against an attack when your are inviting potential attackers with a way to upload files to your server. The best advice I can give is to use multiple approaches when securing uploaded content.

Ensure that the filename that is submitted is sanitised. For example, you don't want someone submitting '/../../index.html' as a filename, and overwriting your index page.

Filenames should also be checked for a valid mime type and extension (.jpg, .gif), however it is also worth investigating if your language of choice has any potential vulnerabilities when dealing with filenames, for example, when dealing with PHP it is sometimes possible to pass a null byte which may bypass extension restrictions.

By choosing a custom filename yourself for uploaded content, you can mitigate a lot of the risk of malicious filenames. So if you accept a mime type of 'image/jpeg', write this to a file with a filename of '[RANDOMSTRING].jpg'.

As woliveirajr commented, checking magic bytes can also be a good idea, however there would be nothing to stop someone from uploading a php backdoor script containing a few magic bytes, and then proceeding with <%php code.

Once you are happy that you have secured your upload script, check if your web server has a configuration option to disable execution of scripts in your destination directory (such as IIS execute permissions). This would mean that even if someone is able to bypass your upload whitelisting, they would find it difficult to have a script to execute on your server.

Also be aware of attacks not directly related to execution of code on your server. I have seen countless times that file uploads are protected against server side execution, however uploading a filename of '.....' results in a XSS attack.

This is by no means an extensive list, but I hope it gives you an few ideas of the different areas you should be protecting against.

xpn-security
  • 384
  • 1
  • 5
2

Uploading Security:

  1. Secure code:

    • You should verify the extension by using white-list (.jpg, .png,.doc ...). Don't use black-list (.php, .aspx ...)
    • Don't trust mime type, which is sent by user.
    • Avoid malicious file names by changing the name to a new random name eg: New file name = prefix_MD5(file name).extension
    • Re-size all images.
  2. Config server:

    • Disable execution of scripts in your destination directory
    • Set your upload directory out of website directory eg: Website root path: /home/user/public_html/ upload directory: /home/user/upload_dir/ So, hacker can't access malicious uploaded file directly.
Rory Alsop
  • 61,474
  • 12
  • 117
  • 321
user11208
  • 31
  • 1
  • This does not answer the askers question at all. White-listing file formats do not work as malicious code can easily pass off as image files. –  Jul 12 '12 at 03:38
  • This answer not only does not actually answer the question at hand, much of it, is unreadable because of the grammar. – Ramhound Jul 12 '12 at 14:07
  • Edited to improve grammar and formatting - does it answer the question any better...? – Rory Alsop Jul 13 '12 at 09:31