Page 1 of 1
Image Security
Posted: Wed May 16, 2007 5:12 pm
by Benjamin
On a large community based site, how can the risks associated with the JPEG vulnerability be mitigated?
Do these images pass the getimagesize() test? If so, is resampling the image a sure fire way to prevent these images from posing a risk?
How would one detect these images from within PHP with low overhead?
Posted: Wed May 16, 2007 5:32 pm
by feyd
You'll likely need to either research into what getimagesize() does or read the security/post-commit comments to find out if it will work or not with it. As for detecting it, there appears to be no specific signature to the vulnerability that I can find in a few minutes of looking around. All I know for sure is the exploit uses invalid segment lengths to initiate it.
Posted: Wed May 16, 2007 7:53 pm
by Oren
feyd is right. I've done a pretty big research regarding this and there isn't much you can do except to check the magic bytes and the last byte. Also note that both the magic bytes and the last byte can be valid, but it doesn't mean the image is what one will consider "valid".
I know this can be confusing, but to sum it up, if the magic bytes say it's a JPEG then you should accept it, although it doesn't mean it'll render on your screen - there is no reasonable way to check that as you are not going to write a full JPEG parser just for that purpose.
Edit: For GIF images, if you wish, I can give you few more "tests" that you can perform. If a file fails in one of them, it's not a valid GIF and will not render on you screen for sure. But personally I think it'd be overkilling to perform these tests.
Posted: Thu May 17, 2007 11:08 am
by Benjamin
I won't be able to access the repository until tomorrow. My hunch is that getimagesize() probably would not fail on a tampered image, but I really don't see any rogue instructions surviving the imagecopyresampled() and imagejpeg() functions.