Image Security

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Image Security

Post by Benjamin »

On a large community based site, how can the risks associated with the JPEG vulnerability be mitigated?

Do these images pass the getimagesize() test? If so, is resampling the image a sure fire way to prevent these images from posing a risk?

How would one detect these images from within PHP with low overhead?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

You'll likely need to either research into what getimagesize() does or read the security/post-commit comments to find out if it will work or not with it. As for detecting it, there appears to be no specific signature to the vulnerability that I can find in a few minutes of looking around. All I know for sure is the exploit uses invalid segment lengths to initiate it.
User avatar
Oren
DevNet Resident
Posts: 1640
Joined: Fri Apr 07, 2006 5:13 am
Location: Israel

Post by Oren »

feyd is right. I've done a pretty big research regarding this and there isn't much you can do except to check the magic bytes and the last byte. Also note that both the magic bytes and the last byte can be valid, but it doesn't mean the image is what one will consider "valid".
I know this can be confusing, but to sum it up, if the magic bytes say it's a JPEG then you should accept it, although it doesn't mean it'll render on your screen - there is no reasonable way to check that as you are not going to write a full JPEG parser just for that purpose.

Edit: For GIF images, if you wish, I can give you few more "tests" that you can perform. If a file fails in one of them, it's not a valid GIF and will not render on you screen for sure. But personally I think it'd be overkilling to perform these tests.
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

I won't be able to access the repository until tomorrow. My hunch is that getimagesize() probably would not fail on a tampered image, but I really don't see any rogue instructions surviving the imagecopyresampled() and imagejpeg() functions.
Post Reply