Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Security issues in accepting image uploads

Tags:

security

upload

png

jpeg

What are the major security issues to consider when accepting image uploads, beyond the normal stuff for all HTTP uploads?

I'm accepting image uploads, and then showing those images to other users.

How should I verify, for example, that the uploaded image is actually a valid image file? Are there any known vulnerabilities in viewers that are exploitable by malformed image files for which I should be concerned about accidentally passing along exploits? (Quickly googling seems to show that there once was in IE5/6.)

Should I strip all image metadata to help users prevent unintentional information disclosures? Or are there some things that are safe and necessary or useful to allow?

Are there any arcane features of common image formats that could be security vulnerabilities?

Are there any libraries that deal with these issues? (And/or with other issues like converting progressive JPEGs to normal JPEGs, downsampling to standardize sizes, optimizing PNGs, etc.)

like image 256
Doug McClean Avatar asked Sep 28 '09 04:09

Doug McClean

People also ask

What danger is there in allowing uploads over the web?

Upload forms on web pages can be dangerous because they allow attackers to upload malicious code to the web server. Attackers can then use tricks to execute this code and access sensitive information or even take control of the server.

What is upload vulnerability?

File upload vulnerabilities are when a web server allows users to upload files to its filesystem without sufficiently validating things like their name, type, contents, or size.

What is the impact of file upload vulnerability?

Using a file upload helps the attacker accomplish the first step. The consequences of unrestricted file upload can vary, including complete system takeover, an overloaded file system or database, forwarding attacks to back-end systems, client-side attacks, or simple defacement.

2 Answers

Some things I learned recently from a web security video:

  • The nuclear option is to serve all uploaded content from a separate domain which only serves static content - all features are disabled and nothing important is stored there.
  • Considering processing images through imagemagick etc. to strip out funny business.
  • For an example of what you are up against, look up GIFAR, a technique that puts a GIF and Java JAR in the same file.
like image 114
Justin Love Avatar answered Sep 29 '22 15:09

Justin Love

The risk of propogation of bugs inside image formatters isn't "exactly" your problem, but you can help anyway, by following the general practice of mapping ".jpg" to your executable language, and processing each image manually (in this way you can do refer checks as well).

You need to be careful of:

  • People uploading code as images (.jpg with actual c# code inside)
  • any invalid extensions (you check for this)
  • People trying to do path-related attacks on you

The last one is what you'll need to be wary of, if you're dynamically reading in images (as you will be, if you follow my first bit of advice).

So ensure you only open code in the relevant folder, and, probably more importantly, lock down the user that does this work. I mean the webserver user. Make sure it only has permissions to read from the folder you are working in, and other such logical things.

Stripping metadata? Sure why not, it's quite polite of you, but I wouldn't be nuts about it.

like image 41
Noon Silk Avatar answered Sep 29 '22 14:09

Noon Silk
Sign in to Comment

Related questions

Android VPNService Route Exclusion [closed]
Reflection Security
JS - How to securely use window.postMessage when the sender domain is unknown
ModSecurity maximum post limits (PCRE limit errors)
Prevent access to admin pages in AngularJS
How come a simple PHP include file be vulnerable
Best practices in dealing with the abuse of custom URL scheme to make phishing attack ios
SELECT within SELECT PDO prepared statement [duplicate]
invalidate aspx authentication cookie
How to secure javax.xml.transform.TransformerFactory from XML external attacks
Browser downloaded this unobfuscated PHP script. What is it doing?
What Uniquely Identifies a Client Making a Request to Web API?
How to log out of an expired session in Laravel 5.x?
Postman - access full request body (to calculate hash) in pre-request script
Will the mac prompt the user again to allow access to the keychain after updating the app?
How to avoid the vulnerability created by using entities at a requestMapping method?
webpack, restrict what can be imported
Storing Windows passwords
Is this a reasonable way to implement 'remember me' functionality
How to check if Windows user account name exists in domain?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!