say I allow my users to embed images that others can view, then the user rewrites the image to be a PHP file for instance. Would that pose a security risk of him injecting something into my code?
Asked
Active
Viewed 147 times
2
-
I didn't want to give an answer already found here but wanted to give some tips on securing it. I wrote several image uploaders that would first use getimagesize() to verify that the file is in fact an image. Then I would resample the image and save it with a valid image file extension using the GD lib to strip any EXIF metadata. Also I would never give the end user any control of naming a file. – Bacon Brad Oct 05 '15 at 22:51
3 Answers
1
Would that pose a security risk of him injecting something into my code?
Yes
If you allow your users to upload an image file with no 'robust' validation, it is trivial for an attacker to upload a malicious PHP file (e.g. by faking it as an image through changing the Content-Type request header) and execute it on your server or get a remote access.
Secure handling of File upload is not easy. You may find the below article helpful to know more about its security risks and recommendations:
Dr. mattle
- 300
- 1
- 10
-
In addition to what Dr Mattle said, "The little jpeg that could hack your organization" https://www.youtube.com/watch?v=BIwe571zcWY A real world example of why it's important to get this right. – k1DBLITZ Oct 06 '15 at 12:54
0
There is no way a user can "rewrite an uploaded image to be a php file" because php files are recognized by it's .php ending not by its content.
But there are other aspects related to image upload that can be exploited. Displaying metadata without validating it for example can be a security risk. This would potentially allow an attacker to upload an image and inject client side parsed code into your website by modifying the metadata.
davidb
- 4,285
- 3
- 19
- 31
-
There is a way, using modRewrite, and the question was supposed to be about embedded images really – Deimantas Oct 05 '15 at 20:19
-
Yes of cause but that would rely on the server side defined rewriting rules which can't be changed by an attacker – davidb Oct 05 '15 at 20:20
-
It wouldn't because i have just successfully rewrited an image into php file and embeded it into my forum signature, in the end i got IPs of every user on that forum – Deimantas Oct 05 '15 at 20:32
-
what i want to know if it's possible to execute code by using a img rewritted in php – Deimantas Oct 05 '15 at 20:32
-
0
Yes it is possible. But not just xss. It can lead to remote command execution if image is uploaded your server. To prevent this always recreate any uploaded image to random named image files.
If you allow embedding images from other websites. You have to take care of xss on user inputs. Otherwise no risks involved. Since browser will not process JavaScript from image files even if there are any
haseeb
- 151
- 8
-
-
Uploaded images won't be a risk if it is recreated using built in functions and renamed. External images can be used to know your visitors IP, browser , location etc. Without any rewriting. So that is not a risk with rewriting – haseeb Oct 06 '15 at 14:50
-
The image URL is just a string like other html parts in server side. It is the img tag of browser which request the URL to external server. That's why you got the user information – haseeb Oct 06 '15 at 14:55
-