Virus scanning

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Re: Virus scanning

Post by matthijs »

My main question is: if you don't want to rely on having a virus scanner check every uploaded file, what else do you have to do to make uploading of files and/or images by users secure. Maybe it's best to just focus on images alone.

So if you look at the article
http://blog.insicdesigns.com/2009/01/se ... lications/
there are a few measures discussed, one by one not enough.

Checking of mime type

Code: Select all

if($_FILES['userfile']['type'] != "image/gif") {
echo "Sorry, we only allow uploading GIF images";
exit;
}
As an attacker can set the mine-type in the request, this check will not be enough.

Image file content verification

Code: Select all

$imageinfo = getimagesize($_FILES['userfile']['tmp_name']);
if($imageinfo['mime'] != 'image/gif' && $imageinfo['mime'] != 'image/jpeg') {
echo "Sorry, we only accept GIF and JPEG images\n";
exit;
}
Again, this is not enough as a valid image can also contain some other text content, which can be misused

File name extension verification

Code: Select all

 
$blacklist = array(".php", ".phtml", ".php3", ".php4");
foreach ($blacklist as $item) {
if(preg_match("/$item\$/i", $_FILES['userfile']['name'])) {
echo "We do not allow uploading PHP files\n";
exit;
}
Again, not enough as depending on the configuration of the server, of which many people have little control over, the server can allow other extensions then php be run through the php parser. Of course you can say that is a problem of the server which should be solved. However, let's just assume that we can't do anything about that.

Now you talked about an alternative way of allowing (and securing) uploads and that is by uploading them to a different domain. I am still not quite sure what exactly that should prevent and how. And, what one should do if you do not have access to multiple domains.

[edit:]
Maybe it's best for the discussion to talk about two different things:
1) first, in which ways uploaded images (and files) can be misused. executing a malicious php command is something different from doing something with a browser flash plugin.
2) second, how to prevent these problems.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Virus scanning

Post by kaisellgren »

matthijs wrote:if you don't want to rely on having a virus scanner check every uploaded file
If you use virus scanners to scan every file that is being uploaded, that does not prevent all sorts of attacks (e.g. hybrid files are clean files for antiviruses). Also, bear in mind that antiviruses cannot protect from zero day viruses.
matthijs wrote:Checking of mime type

Code: Select all

if($_FILES['userfile']['type'] != "image/gif") {
echo "Sorry, we only allow uploading GIF images";
exit;
}
As an attacker can set the mine-type in the request, this check will not be enough.
$_FILES[...]['type'] is completely useless feature. It shall never be used.
matthijs wrote:Image file content verification

Code: Select all

$imageinfo = getimagesize($_FILES['userfile']['tmp_name']);
if($imageinfo['mime'] != 'image/gif' && $imageinfo['mime'] != 'image/jpeg') {
echo "Sorry, we only accept GIF and JPEG images\n";
exit;
}
Again, this is not enough as a valid image can also contain some other text content, which can be misused
I do not think there are any valid reasons to check that the image is an image. After all, it could also be something else, too.
matthijs wrote:File name extension verification

Code: Select all

 
$blacklist = array(".php", ".phtml", ".php3", ".php4");
foreach ($blacklist as $item) {
if(preg_match("/$item\$/i", $_FILES['userfile']['name'])) {
echo "We do not allow uploading PHP files\n";
exit;
}
Again, not enough as depending on the configuration of the server, of which many people have little control over, the server can allow other extensions then php be run through the php parser. Of course you can say that is a problem of the server which should be solved. However, let's just assume that we can't do anything about that.
You can always force the extension to be anything you want. Force it to be something that clearly is never recognized by the server (.matt, for instance). After that, rename the whole filename. This makes sure that no attacker can make it to run through a PHP parser especially since the files are uploaded outside the document root. If someone is capable of figuring out the filename, you are in trouble anyway.

By the way, the above code is vulnerable to filename truncation attacks. I could upload a file "file.php%00.jpg" and it would become "file.php" and would still pass the check. Furthermore, blacklisting is a very risky protection. One good way of knowing file upload paths with that script would be to upload a file named "file.php\n.jpg". It would pass the check, but throw an error, because the filename is improper and possibly reveals some paths of your system.
matthijs wrote:Now you talked about an alternative way of allowing (and securing) uploads and that is by uploading them to a different domain. I am still not quite sure what exactly that should prevent and how. And, what one should do if you do not have access to multiple domains.
I was talking about hybrid file attacks, which target the user on the site (not the user, not the site, but the user on the very specific site). So, uploading to a different domain would prevent the attack on the specific site, obviously.

I just tried on IE 7 and Firefox. Setting a cookie to mydomain.com will not be available to m.y.i.p address. So, instead of having a domain to prevent any kinds of hybrid file attacks, one could use his static IP provided that he has one.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Virus scanning

Post by kaisellgren »

I uploaded a hybrid file for everyone who is interested in trying it out.

It is a simple demonstration of a PHP file combined with a PNG file. It is a PNG file, but if you run it through the parser, it outputs:
Kai was here.
You can get rid of that PHP code by manipulating the image file, but keep in mind that there are several ways of creating hybrid files and at least one way that passes any image filter you apply to your image.

It is impossible to make sure that your file is indeed just what it claims to be. It may be something else, too.
Attachments
Hybrid File.
Hybrid File.
kwh.png (44.04 KiB) Viewed 1247 times
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Re: Virus scanning

Post by matthijs »

That's pretty interesting. So anything can be put in an image. And I assume that can be php, text, javascript, flash or anything else. So depending on the situation that hidden php or js code can be misused.

So to prevent that code from being executed, is it possible to make sure images are only displayed as actual images?
header("Content-Type: image/png") only works if you haven't sent any headers yet
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Virus scanning

Post by kaisellgren »

matthijs wrote:So anything can be put in an image.
Not just in an image, but in most file types.

By the way, http://en.wikipedia.org/wiki/Steganography is an interesting science.
matthijs wrote:So depending on the situation that hidden php or js code can be misused.
If there is a Java archive in the image, for instance, anyone having an older Java Virtual Machine installed will have the Jar executed. It does not matter are you using Firefox, Chrome or IE. Therefore, the image can steal your online credentials and the only thing you need to do is to view the image. To prevent this, use only software that are not vulnerable or do not install anything at all. However, this is something you cannot make your users to do.
matthijs wrote:So to prevent that code from being executed, is it possible to make sure images are only displayed as actual images?
header("Content-Type: image/png") only works if you haven't sent any headers yet
The header content-type will tell the browser that the data is a PNG file, for instance. Then the browser will display it as a PNG image, but the problem is that some other software may run the hidden code, because they think it is not an image, but something else. The example above I gave you (an older version of JVM) does not bow down before content types and will just look for any data it could understand and executes them. The latest version will not be vulnerable, and by specifying content-types and setting a proper extension will prevent that kind of attack.

I have no idea what other software could be vulnerable to this. Silverlight? Anyone?

It is definitely not web application developer's fault, but you could remove the problem by serving uploaded content through a static IP address or through an entirely different domain name. Therefore, the Jar (or whatever is being exploited) will have no access to your site's credentials, so, the user credentials are not stolen.
User avatar
php_east
Forum Contributor
Posts: 453
Joined: Sun Feb 22, 2009 1:31 pm
Location: Far Far East.

Re: Virus scanning

Post by php_east »

personally i think all this talk of security is quite useless and senseless. virii can be made from any material whatsoever. and all the techniques talked about is ancient. what is most likely achieved by talking more about security is more people able to make better viruses, as they are better educated at security measures. so go on, tell us all about the latest 'security' techniques. :crazy:
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Virus scanning

Post by kaisellgren »

Bear in mind that the last posts in this topic are not about virii at all. I do agree with you, though. Especially on a web environment it is pointless to scan files for virii.
User avatar
php_east
Forum Contributor
Posts: 453
Joined: Sun Feb 22, 2009 1:31 pm
Location: Far Far East.

Re: Virus scanning

Post by php_east »

you are just trying to classify nuisance ware. just academic. i am talkign of an epidemic.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Virus scanning

Post by kaisellgren »

php_east wrote:you are just trying to classify nuisance ware. just academic. i am talkign of an epidemic.
Huh? Apart from hybrid files, most of my posts are talking about exploiting vulnerabilities and defending ourselves, which do not have anything to do with any sort of "ware".
aschlosberg
Forum Newbie
Posts: 24
Joined: Fri Jan 23, 2009 10:17 pm

Re: Virus scanning

Post by aschlosberg »

Woah! I never expected this topic to go any further than my last post.

Now I'm more lost than ever. Time to start reading :)
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Re: Virus scanning

Post by Chris Corbyn »

I'd stick with clam... It's well-established, is designed for this sort of thing and you're the one in control of keeping its definitions up-to-date.

With regards to viewing an image in a browser and being subject to some sort of exploit... nobody remember the infamous TIFF exploit that was used (openly) to jailbreak 1st generation iPhones? All you had to do was open a web page and your phone was pretty much jailbroken:

Complete with exploit source code: http://toc2rta.com/?q=node/30
Post Reply