Page 2 of 3

Re: Virus scanning

Posted: Wed Mar 25, 2009 12:19 pm
by matthijs
Ok, I understand the local file include issue, but that is a different/separate problem. Sure I understand that combing a LFI problem with and upload problem is dangerous, but for clarity I'm now mainly interested in the (image) upload issues.
kaisellgren wrote:That the files on the server are renamed and placed into a secret place that no one knows except for the owners. At least, this should be the case.
Ok, but every site out there which lets users upload images also lets them view them. And as soon as you view the image you know the path. So what is so secret about that?
kaisellgren wrote:I was talking about hybrid files. As what comes to PHP files, they are only dangerous if you run them through the parser. So, LFI vulnerabilities are one way to exploit that. No JavaScript can be ran inside a JPEG. Browsers do not do that.
And from what I understand, this depends on the server setting as well, doesn't it? Some (misconfigured?) servers run more then .php files through the php parser.

Re: Virus scanning

Posted: Wed Mar 25, 2009 12:52 pm
by kaisellgren
matthijs wrote:Ok, but every site out there which lets users upload images also lets them view them. And as soon as you view the image you know the path. So what is so secret about that?
Looks like you did not understand the theory after all :). See, if you view http://popularsite.com/photos/my_uploaded_photo.jpg, the file is not stored in photos folder and is not called my_uploaded_photo.jpg. It's all illusion. (At least I hope so). What you want is to store the file on a secret folder outside the document root, say, /home/uploaded_stuff/, then you rename the file to something unknown and store the original filename in the database, for instance. Now, with URL rewriting, the query goes to showimage.php?photo=photos/my_uploaded_photo.jpg or something like that and then the PHP script gets the renamed filename from the database for the matching "fake" filename and outputs the file contents.
matthijs wrote:And from what I understand, this depends on the server setting as well, doesn't it? Some (misconfigured?) servers run more then .php files through the php parser.
There are plenty of ways how a non .php file can be ran through the parser. LFI being the most popular, Crontab attacks are a bit less known and virtually any application on the server that is capable of executing the non .php file could do it through a vulnerability. Setting proper execute permissions will help and so does renaming of the filename and having it somewhere unknown.

Re: Virus scanning

Posted: Wed Mar 25, 2009 1:26 pm
by matthijs
kaisellgren wrote:
matthijs wrote:Ok, but every site out there which lets users upload images also lets them view them. And as soon as you view the image you know the path. So what is so secret about that?
Looks like you did not understand the theory after all :). See, if you view http://popularsite.com/photos/my_uploaded_photo.jpg, the file is not stored in photos folder and is not called my_uploaded_photo.jpg. It's all illusion. (At least I hope so). What you want is to store the file on a secret folder outside the document root, say, /home/uploaded_stuff/, then you rename the file to something unknown and store the original filename in the database, for instance. Now, with URL rewriting, the query goes to showimage.php?photo=photos/my_uploaded_photo.jpg or something like that and then the PHP script gets the renamed filename from the database for the matching "fake" filename and outputs the file contents..
I do understand the whole file inclusion problem, but I'm saying that that's not what I'm interested in. I want to know: what if someone uploads a malicious image and have that "viewed", a.k.a. being run on the server or by someone else in his/her browser? What can you do, when you code an upload script, to make sure something is a normal, "valid" image? We already know checking file extension and mine type is not enough.

Re: Virus scanning

Posted: Wed Mar 25, 2009 1:43 pm
by kaisellgren
matthijs wrote:what if someone uploads a malicious image and have that "viewed", a.k.a. being run on the server or by someone else in his/her browser?
They do not run on the server. They run on the user's computer.
matthijs wrote:What can you do, when you code an upload script, to make sure something is a normal, "valid" image? We already know checking file extension and mine type is not enough.
You can make sure that a picture is a picture by being able to resize, shrink, crop, colorize, etc it. However, it might still be a hybrid file having more than one purpose. The thing is, you cannot know what the file "is". It is theoretically possible, but in practise your efforts are futile.

Re: Virus scanning

Posted: Wed Mar 25, 2009 2:41 pm
by matthijs
Ok, so then we're back to the original posters question about virus scanners, since that's the only way to make sure (again, to a certain, limited extent) that the image doesn't contain anything malicious..

How do big sites like Flickr handle this problem? Can any of the images you find there contain hybrid content and therefore be misused?

Is there absolutely no way to make sure something is a jpg or gif file? Are there no (clear) specifications for these formats? I find this pretty disturbing.

Re: Virus scanning

Posted: Wed Mar 25, 2009 3:02 pm
by kaisellgren
matthijs wrote:Ok, so then we're back to the original posters question about virus scanners, since that's the only way to make sure (again, to a certain, limited extent) that the image doesn't contain anything malicious..
Can you name me one antivirus software that reports a Java or a Flash file as a virus if it grabs and sends cookies?
matthijs wrote:How do big sites like Flickr handle this problem? Can any of the images you find there contain hybrid content and therefore be misused?
One photo example: http://farm4.static.flickr.com/3580/338 ... c5.jpg?v=0
See the URL? It uses a subdomain, so, if the cookies are set to flickr.com, a subdomain cannot get those. However, I am not sure if some Java, for instance, could manipulate the HTML content on the page where the picture is shown. All I am sure is that if you have an entirely different domain, then it is no harm. E.g. yourimages.com/file.jpg.
matthijs wrote:Is there absolutely no way to make sure something is a jpg or gif file? Are there no (clear) specifications for these formats? I find this pretty disturbing.
There is no way. Who says what you can insert into file comments section? What about color palette? How about camera model name? Some <?php ... ?> there ;)? PHP and many other software like Java will ignore the other binary carbage and execute the code they understand.

The only solution I am aware of is to upload the files to another domain. Thus, the pictures can't harm the user's of your main site, because they are on a different site (domain).

Re: Virus scanning

Posted: Wed Mar 25, 2009 3:34 pm
by matthijs
kaisellgren wrote:Can you name me one antivirus software that reports a Java or a Flash file as a virus if it grabs and sends cookies?
I wouldn't know.
kaisellgren wrote:One photo example: http://farm4.static.flickr.com/3580/338 ... c5.jpg?v=0
See the URL? It uses a subdomain, so, if the cookies are set to flickr.com, a subdomain cannot get those. However, I am not sure if some Java, for instance, could manipulate the HTML content on the page where the picture is shown. All I am sure is that if you have an entirely different domain, then it is no harm. E.g. yourimages.com/file.jpg.
With the cookies and stealing of them that is just one example of how images can be misused isn't it?
kaisellgren wrote:There is no way. Who says what you can insert into file comments section? What about color palette? How about camera model name? Some <?php ... ?> there ;)? PHP and many other software like Java will ignore the other binary carbage and execute the code they understand.
Great. So what you basically say is I should, from now on, besides not running Java, not running javascript, no flash, also block images on all sites I visit? That's no fun anymore, I better start reading books again :?
kaisellgren wrote:The only solution I am aware of is to upload the files to another domain. Thus, the pictures can't harm the user's of your main site, because they are on a different site (domain).
:lol: that's a nice solution. We just tell our client for which we build a community website, that the image uploading part will not be build in but go through Flickr, to make sure that their lawyers can always blame Flickr if something goes wrong ...

Re: Virus scanning

Posted: Wed Mar 25, 2009 3:53 pm
by kaisellgren
matthijs wrote:I wouldn't know.
What is wrong having a JPEG file that contains PHP code in comment section, for instance? Why would an antivirus detect it as a virus? That would be utterly retarted.
matthijs wrote:With the cookies and stealing of them that is just one example of how images can be misused isn't it?
I am a defender, not a cracker. I am honestly not that interested in knowing what kind of damage are you capable of doing. Yes, there are plenty of evil things you do not want to happen. The most weird what I know is that someone made Flash to record user's web camera which showed the user typing his password and username. That was exotic one.
matthijs wrote:Great. So what you basically say is I should, from now on, besides not running Java, not running javascript, no flash, also block images on all sites I visit? That's no fun anymore, I better start reading books again :?
I have said many times every here and there that current web browser and web security is rotten. There are reasons why I have said that... I have sooo many suggestions for building up a better web. I would love to throw some at Chrome, because it is still so young.

Note that this is nothing new. When I installed Java and Flash for the first time, I knew they would have security vulnerabilities and would put me in a risk. It is always a risk to install anything on your computer. JavaScript allows XSS while Flash, Java, Silverlight, etc create their own issues.
matthijs wrote: :lol: that's a nice solution. We just tell our client for which we build a community website, that the image uploading part will not be build in but go through Flickr, to make sure that their lawyers can always blame Flickr if something goes wrong ...
Just buy two domains: yoursite.com and yourfiles.com. You do not need two servers. You just upload to another folder and serve them through different domain.

/home/yoursite.com/htdocs/uploader.php
uploads the image to:
/home/yourfiles.com/images/newimage.jpg

Re: Virus scanning

Posted: Wed Mar 25, 2009 4:09 pm
by matthijs
kaisellgren wrote:What is wrong having a JPEG file that contains PHP code in comment section, for instance? Why would an antivirus detect it as a virus? That would be utterly retarted.
You are right. A malicous thing is only malicious when it can actually do something malicious. The same as having a quote in the name O'reilly is not bad, but being put in a query unescaped it suddenly is.
kaisellgren wrote:I am a defender, not a cracker. I am honestly not that interested in knowing what kind of damage are you capable of doing. Yes, there are plenty of evil things you do not want to happen. The most weird what I know is that someone made Flash to record user's web camera which showed the user typing his password and username. That was exotic one.
Well I'm no cracker either, but if I build web applications I have to know how to do that as secure as possible
kaisellgren wrote:I have said many times every here and there that current web browser and web security is rotten. There are reasons why I have said that... I have sooo many suggestions for building up a better web. I would love to throw some at Chrome, because it is still so young.
I can imagine how you feel. My feeling of security on the web has only decreased the more I know about how things (not) work.
kaisellgren wrote:Just buy two domains: yoursite.com and yourfiles.com. You do not need two servers. You just upload to another folder and serve them through different domain.
I'm still not sure I see the real issue here. You mean the two domains are needed because an image uploaded on domain A cannot steal a users' cookies if he browses domain B?

Re: Virus scanning

Posted: Wed Mar 25, 2009 4:24 pm
by kaisellgren
matthijs wrote:I'm still not sure I see the real issue here. You mean the two domains are needed because an image uploaded on domain A cannot steal a users' cookies if he browses domain B?
How could a picture or any file at google.com harm your site matthijs.com ?

Re: Virus scanning

Posted: Thu Mar 26, 2009 2:42 am
by matthijs
kaisellgren wrote:How could a picture or any file at google.com harm your site matthijs.com ?
Well it is still an image that is being shown on my site. It would be kind of silly to be a user of Flickr.com, upload an image and afterwards not find that image on Flickr.com but on Picasa.com. So if the image does anything bad (whatever that is), it happens on my site. Maybe I don't understand your question.

Re: Virus scanning

Posted: Thu Mar 26, 2009 8:43 am
by kaisellgren
matthijs wrote:Well it is still an image that is being shown on my site.
It is shown on your site, but it is not located on your site. It cannot access your cookies or anything else.
matthijs wrote:and afterwards not find that image on Flickr.com but on Picasa.com.
Why to follow such bad principle? Why not to upload the image on matthijs-files.com ? I don't think it is silly to find out that the files are on a different domain if the domain is indeed owned by the same site. What does it matter anyway?

Re: Virus scanning

Posted: Thu Mar 26, 2009 10:49 am
by matthijs
Look, we seem to misunderstand each other. You are the expert on this matter, not me. I don't know the ins and outs of image formats and how malicious stuff can be hidden and misused. I just want to know what to look out for when I write an image (and/or file) upload script for a website and let users upload stuff. As the original poster asked about virus scanners, I wondered what measures are needed with PHP alone to "secure" an upload feature of a webapp, as I'm clearly not installing a virusscanner behind every upload script.

I really appreciate your input here, but at this point you raise more questions then answering them ..

Re: Virus scanning

Posted: Sat Mar 28, 2009 2:06 am
by matthijs
@ kaisellgren, did my last post end your motivation to post any further? Hope not, I do want to know more about this subject. Maybe I might have to go out and read a bit more on the matters, then come back and ask some specific questions, maybe that'll help the discussion

Re: Virus scanning

Posted: Sat Mar 28, 2009 3:28 am
by kaisellgren
matthijs wrote:@ kaisellgren, did my last post end your motivation to post any further?
No, it's just that I am not sure what is being asked.

EDIT: Okay here are some updates.

Latest version of Java is safe from hybrid file attacks. I can confirm that.
I am not sure about Flash or any other possible browser plugins. I have heard Flash is safe (latest version). I cannot confirm that yet.