Re: [PHP] Uploading JPEG's - Security Issues?
Thanks Rasmus, I thought there had to be function out there that could examine the actual contents. Now the question remains, would an ereg/eregi check for html/code/commands work on a "jpg/jpeg" type file? From a brief examination of one, I note that it's not text, but code. I tried writing some text commands into a jpeg file to see what would happen, and wasn't too surprised that the file didn't load -- but then again, I don't know what I'm doing:> I suppose, following what I saw in a movie "Along Came a Spider" -- manipulating image files with hidden text files, etc. -- sort of put me on guard. I have no idea whether this is even possible. . . sounds probable though. Would be great to find out before the site is compromised. Tia, Andre On Tuesday 14 May 2002 10:32 pm, you wrote: > Have a look at the getimagesize() function. This function looks at the > actual file data, not the mime type nor the file's extension but the data > itself and tells you what sort of image file it is. > > And no, it wouldn't really be after the fact because because stores the > file with a temporary random filename in /tmp ensuring not to overwrite > anything that is already there. It is then your job to perform the check > and copy the file to some appropriate directory on your server. If you > don't do anything with the file, PHP will automatically delete it at the > end of the request. > > -Rasmus > > On Tue, 14 May 2002, Andre Dubuc wrote: > > My question will probably expose my woeful lack understanding of security > > breaches, but perhaps someone can enlighten me. > > > > On my site, registered members will be allowed to upload jpg/jpeg > > pictures. I'm concerned about possible security problems. First, is there > > a way to ensure that a picture (and not some other malicious stuff) has > > been uploaded? > > > > Aside from checking the mime type info associated with the file, is there > > any way of verifying what's in the file that has been uploaded? (I'm > > using Linux LM8.2) Would it be possible to fake info to fool this check? > > Would verification checks for html/scripts/commands be of any use? > > > > Secondly, since the file in question is already uploaded and saved to > > disk in /tmp or wherever, wouldn't any verification scheme be sort of, > > 'after-the-fact'? > > > > I would appreciate any input, suggestions, or ideas on what to do here. > > Am I being overly-paranoid about this, or do I have legitimate security > > concern. > > > > Using: Apache 1.3.23 + PHP 4.1.2 + PostgreSQL 7.2 > > > > Tia, > > Andre > > > > > > -- > > Please pray the Holy Rosary to end the holocaust of abortion. > > Remember in your prayers the Holy Souls in Purgatory. > > > > May God bless you abundantly in His love! > > For a free Cenacle Scriptural Rosary Booklet: > > http://www.webhart.net/csrb/ > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php -- Please pray the Holy Rosary to end the holocaust of abortion. Remember in your prayers the Holy Souls in Purgatory. May God bless you abundantly in His love! For a free Cenacle Scriptural Rosary Booklet: http://www.webhart.net/csrb/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Uploading JPEG's - Security Issues?
Rasmus Lerdorf <[EMAIL PROTECTED]> wrote: > Are you afraid of someone embedding PHP in a .jpg file? That's not really > an issue as your web server is probably configured to only serve up PHP as > .php files. Likewise, your web server config is likely such that any .jpg > file is served up as content-type image/jpeg and as such it really doesn't > matter what sort of junk is embedded in the image. At most it will show > up as a broken image icon in your browser. right. the thing you may need to worry about, if you provide some sort of service that allows for anyone to upload a jpeg file that anyone else can then download, is people using programs that piggyback other data (mp3 files, rar archives, etc) on those images. one simple check you can do to minimize this is to compare the image dimensions to the file size -- if you've got a 120x120 image in a three meg jpeg file, something is probably awry. so with a combination of php's getimagesize() and filesize(), you can try to detect that sort of thing. (this is one of the problems that plague sites that provide free webspace. it's only a security issue insofar as this can constitute an effective denial-of-service 'attack' on your systems.) jim -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Uploading JPEG's - Security Issues?
Are you afraid of someone embedding PHP in a .jpg file? That's not really an issue as your web server is probably configured to only serve up PHP as .php files. Likewise, your web server config is likely such that any .jpg file is served up as content-type image/jpeg and as such it really doesn't matter what sort of junk is embedded in the image. At most it will show up as a broken image icon in your browser. -Rasmus On Tue, 14 May 2002, Andre Dubuc wrote: > Thanks Rasmus, > > I thought there had to be function out there that could examine the actual > contents. > > Now the question remains, would an ereg/eregi check for html/code/commands > work on a "jpg/jpeg" type file? From a brief examination of one, I note that > it's not text, but code. I tried writing some text commands into a jpeg file > to see what would happen, and wasn't too surprised that the file didn't load > -- but then again, I don't know what I'm doing:> > > I suppose, following what I saw in a movie "Along Came a Spider" -- > manipulating image files with hidden text files, etc. -- sort of put me on > guard. I have no idea whether this is even possible. . . sounds probable > though. Would be great to find out before the site is compromised. > > Tia, > Andre > > > On Tuesday 14 May 2002 10:32 pm, you wrote: > > Have a look at the getimagesize() function. This function looks at the > > actual file data, not the mime type nor the file's extension but the data > > itself and tells you what sort of image file it is. > > > > And no, it wouldn't really be after the fact because because stores the > > file with a temporary random filename in /tmp ensuring not to overwrite > > anything that is already there. It is then your job to perform the check > > and copy the file to some appropriate directory on your server. If you > > don't do anything with the file, PHP will automatically delete it at the > > end of the request. > > > > -Rasmus > > > > On Tue, 14 May 2002, Andre Dubuc wrote: > > > My question will probably expose my woeful lack understanding of security > > > breaches, but perhaps someone can enlighten me. > > > > > > On my site, registered members will be allowed to upload jpg/jpeg > > > pictures. I'm concerned about possible security problems. First, is there > > > a way to ensure that a picture (and not some other malicious stuff) has > > > been uploaded? > > > > > > Aside from checking the mime type info associated with the file, is there > > > any way of verifying what's in the file that has been uploaded? (I'm > > > using Linux LM8.2) Would it be possible to fake info to fool this check? > > > Would verification checks for html/scripts/commands be of any use? > > > > > > Secondly, since the file in question is already uploaded and saved to > > > disk in /tmp or wherever, wouldn't any verification scheme be sort of, > > > 'after-the-fact'? > > > > > > I would appreciate any input, suggestions, or ideas on what to do here. > > > Am I being overly-paranoid about this, or do I have legitimate security > > > concern. > > > > > > Using: Apache 1.3.23 + PHP 4.1.2 + PostgreSQL 7.2 > > > > > > Tia, > > > Andre > > > > > > > > > -- > > > Please pray the Holy Rosary to end the holocaust of abortion. > > > Remember in your prayers the Holy Souls in Purgatory. > > > > > > May God bless you abundantly in His love! > > > For a free Cenacle Scriptural Rosary Booklet: > > > http://www.webhart.net/csrb/ > > > > > > -- > > > PHP General Mailing List (http://www.php.net/) > > > To unsubscribe, visit: http://www.php.net/unsub.php > > -- > Please pray the Holy Rosary to end the holocaust of abortion. > Remember in your prayers the Holy Souls in Purgatory. > > May God bless you abundantly in His love! > For a free Cenacle Scriptural Rosary Booklet: http://www.webhart.net/csrb/ > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Uploading JPEG's - Security Issues?
My question will probably expose my woeful lack understanding of security breaches, but perhaps someone can enlighten me. On my site, registered members will be allowed to upload jpg/jpeg pictures. I'm concerned about possible security problems. First, is there a way to ensure that a picture (and not some other malicious stuff) has been uploaded? Aside from checking the mime type info associated with the file, is there any way of verifying what's in the file that has been uploaded? (I'm using Linux LM8.2) Would it be possible to fake info to fool this check? Would verification checks for html/scripts/commands be of any use? Secondly, since the file in question is already uploaded and saved to disk in /tmp or wherever, wouldn't any verification scheme be sort of, 'after-the-fact'? I would appreciate any input, suggestions, or ideas on what to do here. Am I being overly-paranoid about this, or do I have legitimate security concern. Using: Apache 1.3.23 + PHP 4.1.2 + PostgreSQL 7.2 Tia, Andre -- Please pray the Holy Rosary to end the holocaust of abortion. Remember in your prayers the Holy Souls in Purgatory. May God bless you abundantly in His love! For a free Cenacle Scriptural Rosary Booklet: http://www.webhart.net/csrb/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Uploading JPEG's - Security Issues?
Hi What I do is use the function GetImageSize(), if that returns x and/or y = 0 it probably isn't an image file and dump it. Tom At 05:06 AM 16/05/2002, you wrote: >On Wed, 15 May 2002, Andre Dubuc wrote: > > Actually, I figured out how to do it: a combination of checking: > > if ( $_REQUEST['pix']['type'] == "image/jpeg")} blah, blah, blah > >I'm pretty certain that the 'type' that appears here is just derived from >the file name, and therefore is not trustworthy. Someone please correct me >if I'm wrong (as if that's ever a problem...) > >miguel > > >-- >PHP General Mailing List (http://www.php.net/) >To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Uploading JPEG's - Security Issues?
On Thursday 16 May 2002 03:06, Miguel Cruz wrote: > On Wed, 15 May 2002, Andre Dubuc wrote: > > Actually, I figured out how to do it: a combination of checking: > > if ( $_REQUEST['pix']['type'] == "image/jpeg")} blah, blah, blah > > I'm pretty certain that the 'type' that appears here is just derived from > the file name, and therefore is not trustworthy. Someone please correct me > if I'm wrong (as if that's ever a problem...) If you're using linux/unix then you might want to look at the 'file' program. -- Jason Wong -> Gremlins Associates -> www.gremlins.com.hk Open Source Software Systems Integrators * Web Design & Hosting * Internet & Intranet Applications Development * /* It'll be just like Beggars' Canyon back home. -- Luke Skywalker */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Uploading JPEG's - Security Issues?
On Wed, 15 May 2002, Andre Dubuc wrote: > Actually, I figured out how to do it: a combination of checking: > if ( $_REQUEST['pix']['type'] == "image/jpeg")} blah, blah, blah I'm pretty certain that the 'type' that appears here is just derived from the file name, and therefore is not trustworthy. Someone please correct me if I'm wrong (as if that's ever a problem...) miguel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Uploading JPEG's - Security Issues?
Thanks Miguel, Actually, I figured out how to do it: a combination of checking: if ( $_REQUEST['pix']['type'] == "image/jpeg")} blah, blah, blah and then using 'fread' on the actual file itself, applying my 'eregi' verification code. It works! The problem before was that I was attempting to read the array, rather than the actuial file. Thanks for the link. Btw, I still confused about how to organize my /var/www/html directory so that I can still access it for code, but others will not be able to say access /var/www/html/tmp_for_checking_files_like_jpegs. I've made a temporary change (for protyping) to php.ini using /var/www/html as the upload_temp_dir, but I don't know how or where it should go in production. Any suggestions? Tia, Andre On Wednesday 15 May 2002 02:36 pm, you wrote: > On Tue, 14 May 2002, Andre Dubuc wrote: > > My question will probably expose my woeful lack understanding of security > > breaches, but perhaps someone can enlighten me. > > > > On my site, registered members will be allowed to upload jpg/jpeg > > pictures. I'm concerned about possible security problems. First, is there > > a way to ensure that a picture (and not some other malicious stuff) has > > been uploaded? > > > > Aside from checking the mime type info associated with the file, is there > > any way of verifying what's in the file that has been uploaded? (I'm > > using Linux LM8.2) Would it be possible to fake info to fool this check? > > Would verification checks for html/scripts/commands be of any use? > > You can pass the path to the unix command 'file' which looks at the file's > prologue to attempt to figure out what it is. This is usually a pretty > good way to weed out trouble. > > http://www.doc.ic.ac.uk/lab/labman/lookup-man.cgi?file > > miguel -- Please pray the Holy Rosary to end the holocaust of abortion. Remember in your prayers the Holy Souls in Purgatory. May God bless you abundantly in His love! For a free Cenacle Scriptural Rosary Booklet: http://www.webhart.net/csrb/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Uploading JPEG's - Security Issues?
On Tue, 14 May 2002, Andre Dubuc wrote: > My question will probably expose my woeful lack understanding of security > breaches, but perhaps someone can enlighten me. > > On my site, registered members will be allowed to upload jpg/jpeg > pictures. I'm concerned about possible security problems. First, is there a > way to ensure that a picture (and not some other malicious stuff) has been > uploaded? > > Aside from checking the mime type info associated with the file, is there any > way of verifying what's in the file that has been uploaded? (I'm using Linux > LM8.2) Would it be possible to fake info to fool this check? Would > verification checks for html/scripts/commands be of any use? You can pass the path to the unix command 'file' which looks at the file's prologue to attempt to figure out what it is. This is usually a pretty good way to weed out trouble. http://www.doc.ic.ac.uk/lab/labman/lookup-man.cgi?file miguel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Uploading JPEG's - Security Issues?
Have a look at the getimagesize() function. This function looks at the actual file data, not the mime type nor the file's extension but the data itself and tells you what sort of image file it is. And no, it wouldn't really be after the fact because because stores the file with a temporary random filename in /tmp ensuring not to overwrite anything that is already there. It is then your job to perform the check and copy the file to some appropriate directory on your server. If you don't do anything with the file, PHP will automatically delete it at the end of the request. -Rasmus On Tue, 14 May 2002, Andre Dubuc wrote: > My question will probably expose my woeful lack understanding of security > breaches, but perhaps someone can enlighten me. > > On my site, registered members will be allowed to upload jpg/jpeg > pictures. I'm concerned about possible security problems. First, is there a > way to ensure that a picture (and not some other malicious stuff) has been > uploaded? > > Aside from checking the mime type info associated with the file, is there any > way of verifying what's in the file that has been uploaded? (I'm using Linux > LM8.2) Would it be possible to fake info to fool this check? Would > verification checks for html/scripts/commands be of any use? > > Secondly, since the file in question is already uploaded and saved to disk in > /tmp or wherever, wouldn't any verification scheme be sort of, > 'after-the-fact'? > > I would appreciate any input, suggestions, or ideas on what to do here. Am I > being overly-paranoid about this, or do I have legitimate security concern. > > Using: Apache 1.3.23 + PHP 4.1.2 + PostgreSQL 7.2 > > Tia, > Andre > > > -- > Please pray the Holy Rosary to end the holocaust of abortion. > Remember in your prayers the Holy Souls in Purgatory. > > May God bless you abundantly in His love! > For a free Cenacle Scriptural Rosary Booklet: http://www.webhart.net/csrb/ > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Uploading JPEG's - Security Issues?
My question will probably expose my woeful lack understanding of security breaches, but perhaps someone can enlighten me. On my site, registered members will be allowed to upload jpg/jpeg pictures. I'm concerned about possible security problems. First, is there a way to ensure that a picture (and not some other malicious stuff) has been uploaded? Aside from checking the mime type info associated with the file, is there any way of verifying what's in the file that has been uploaded? (I'm using Linux LM8.2) Would it be possible to fake info to fool this check? Would verification checks for html/scripts/commands be of any use? Secondly, since the file in question is already uploaded and saved to disk in /tmp or wherever, wouldn't any verification scheme be sort of, 'after-the-fact'? I would appreciate any input, suggestions, or ideas on what to do here. Am I being overly-paranoid about this, or do I have legitimate security concern. Using: Apache 1.3.23 + PHP 4.1.2 + PostgreSQL 7.2 Tia, Andre -- Please pray the Holy Rosary to end the holocaust of abortion. Remember in your prayers the Holy Souls in Purgatory. May God bless you abundantly in His love! For a free Cenacle Scriptural Rosary Booklet: http://www.webhart.net/csrb/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php