Page 2 of 2
Posted: Wed Oct 03, 2007 11:18 pm
by julian_lp
Jcart wrote:julian_lp wrote:
To every other user in this forum:
If you think you know where could be the risk, (with a real example) just post your reply.
We've already told you of one potential exploit, have you fixed that yet?
Please excuse me but I'm lost now, what are your talking about? The use of getimagesize()? The default switch value?
In both cases I did use your advice, of course

Posted: Wed Oct 03, 2007 11:25 pm
by VladSun
Posted: Wed Oct 03, 2007 11:42 pm
by s.dot
I was advocating the use OF getimagesize() as it's far more secure than relying on ['type'] sent by the browser. However, that article is pretty interesting. Makes me re-think my upload code design, but I think i'm pretty safe with my naming scheme.
Posted: Thu Oct 04, 2007 12:01 am
by julian_lp
a very uneficient way to get rid of php code that I'm gonna add to my "upload avatar" part of the code
...added to the renaming, the check por getimagesize (useless?), and a resize
Code: Select all
$valid = true;
$lines = file(file_uploaded to a path outside the html root);
foreach ($lines as $line) {
$findme = '<?php';
$pos = strpos($line, $findme);
if ($pos !== false) {
$valid = false;
break;
}
}
I'm not sure whether there could be some valid image with "<?php" string in it, and if so, how probable it would be (guess very unlikely, and I pretty much preffer to lose an user rather than the whole site)
Posted: Thu Oct 04, 2007 12:30 am
by VladSun
Another
article.
I read somewhere that using
imagecreatefromjpeg and related functions should be secure enough ...
Posted: Thu Oct 04, 2007 12:43 am
by julian_lp
Nice reading and glad to have thought almost the same before keeping an eye on the article
VladSun wrote:
I read somewhere that using
imagecreatefromjpeg and related functions should be secure enough ..
.
I'll try to find some proofs of that.
BTW I've been doing (in the working code) a rezise over every image upload, that gets me an additional protection I guess
Posted: Thu Oct 04, 2007 1:27 am
by VladSun
julian_lp wrote:Including a file remotely (from another host) wouldn't be a problem to my site I guess.
Suppose you have a file inclusion vulnerability in your web application. In this case, having
allow_url_include=false will protect you from RFI, but not from LFI... Thus, having both of these issues would result in having RFI

Posted: Thu Oct 04, 2007 1:39 pm
by boo
Does anyone know if resizing the image would effect the php code within the image? Would it remove some of it?
Posted: Thu Oct 04, 2007 2:48 pm
by VladSun
boo wrote:Does anyone know if resizing the image would effect the php code within the image? Would it remove some of it?
Resizing is done by using a low pass filter, thus every image byte (in none homogeneous areas) will be changed.
This is true for the raw image data, but not so for image headers and color maps, etc.
I can hardly remember embedding PHP code in JPEG header - comments section. As far as I know PHP code insertion in GIF image is done in raw image data.