RE: First problem. Something like this is the problem: http://www.coldfusionjedi.com/index.cfm/2009/9/21/How-Galleon-was-Hacked
- Gabriel On Mon, Apr 19, 2010 at 1:33 PM, Rick Faircloth <[email protected]>wrote: > > Can you clarify this some, Andrew? > > > Let's talk about the first problem, as it sounds like you are uploading > the > > file directly to the images directory. This is a major security risk and > you > > should avoid this. > > If appropriate formats are specified in the cffile "accept" parameter, what > risk is there? Some kind of file that "fakes" its format or has malicious > code > embedded in it? > > And concerning your second concern below, I've always assumed that using > the > "accept" parameter was enough to verify file format and prevent malicious > code > from being uploaded in a file. What other tests are there that can be run > to > verify images? > > Thanks, > > Rick > > > > -----Original Message----- > From: Andrew Scott [mailto:[email protected]] > Sent: Sunday, April 18, 2010 6:00 PM > To: cf-talk > Subject: RE: Can this be done? > > > You actually have two problems here. > > Let's talk about the first problem, as it sounds like you are uploading the > file directly to the images directory. This is a major security risk and > you > should avoid this. > > Second this gives you the opportunity to store the files into a temp > directory that is not accessible by the web, in which you can the run what > you need to make sure that they are indeed images and are of the required > types before deleting them. > > Hope that helps. > > > > -----Original Message----- > From: Matthew Friedman [mailto:[email protected]] > Sent: Monday, 19 April 2010 6:43 AM > To: cf-talk > Subject: Can this be done? > > > We have a site where people are uploading images to our site. > > We are using cffile upload, checking the sizing resizing them - all is > working great but.... > about 2% of the images will sometimes be upload but not able to be > displayed > on the site - they might be set as CMYK or some other reason and there is > the red x being displayed. > > Here is my question - since I have the full url to the image saved in the > database is there any way that I can check the images that have been > uploaded in the past hour and see if they are working in an automated > format. > > My thoughts would be to just loop through the list by hour and using an > http > get to see the image - the question is there a host header error or notice > that will indicate that the image is bad and we need to fix the image. > > We are trying to be proactive instead of reactive to clients telling us > that > there is a bad image on the list. > > Thanks for any incite. > Matt > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:332988 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
