Security risks of hosting user-supplied images?

Question

I have a program that will accept and fetch images from urls. It will check if the extension is .png, .jpg, etc...

I will fetch these files and store them, they will be shown to users in a gallery (like Imgur and TinyPic). I can't trust these files to be images.

• How can I verify that those images are actually images and not, for instance, a php shell script?
• If I do this, will I have other security risks?

I know there is a magic number for files, so how would I be able to verify this? (language would be python).

Answer 1

An image might still be a valid image and still contain malicious material such as embedded comments or other (undefined) attack vectors. One -- albeit old -- example was the GDI JPEG vulnerability in Windows from 2004.

I think your primary concern is to ensure that your image-acceptance mechanism is simple and tight. You'll want to watch for file permission errors, resource exhaustion (running out of space, tying up network resource, etc.) and path attacks (eg. potentially overwriting files).

Furthermore, ensure that any string-handling checks are strictly and precisely defined. There was a recent question on sec.SE regarding attacking ASP upload code that used a less strict string searching mechanism.

Finally, search this site for the term "upload". Some fine examples which can give you a clear picture (no pun intended!) of all of the challenges you may face:

• What steps should be taken to validate user uploaded images within an application?
• What are the security risks of letting the users upload content to my site?

Answer 2

I agree it is tricky to secure yourself against an attack when your are inviting potential attackers with a way to upload files to your server. The best advice I can give is to use multiple approaches when securing uploaded content.

Ensure that the filename that is submitted is sanitised. For example, you don't want someone submitting '/../../index.html' as a filename, and overwriting your index page.

Filenames should also be checked for a valid mime type and extension (.jpg, .gif), however it is also worth investigating if your language of choice has any potential vulnerabilities when dealing with filenames, for example, when dealing with PHP it is sometimes possible to pass a null byte which may bypass extension restrictions.

By choosing a custom filename yourself for uploaded content, you can mitigate a lot of the risk of malicious filenames. So if you accept a mime type of 'image/jpeg', write this to a file with a filename of '[RANDOMSTRING].jpg'.

As woliveirajr commented, checking magic bytes can also be a good idea, however there would be nothing to stop someone from uploading a php backdoor script containing a few magic bytes, and then proceeding with <%php code.

Once you are happy that you have secured your upload script, check if your web server has a configuration option to disable execution of scripts in your destination directory (such as IIS execute permissions). This would mean that even if someone is able to bypass your upload whitelisting, they would find it difficult to have a script to execute on your server.

Also be aware of attacks not directly related to execution of code on your server. I have seen countless times that file uploads are protected against server side execution, however uploading a filename of '.....' results in a XSS attack.

This is by no means an extensive list, but I hope it gives you an few ideas of the different areas you should be protecting against.

Answer 3

This is already fully covered in the answers to the following questions on this site:

• How can I be protected from pictures vulnerabilities?

• Is it safe to store and replay user-provided mime types?

• Using file extension and MIME type (as output by file -i -b) combination to determine unsafe files?

• How should I serve untrusted / unsanitized documents (PDF, DOC, XLS) to end users over the web?

• Is it safe to serve any user uploaded file under only white-listed MIME content types?

• Does X-Content-Type-Options really prevent content sniffing attacks?

• What are the security risks of letting the users upload content to my site?

• What steps should be taken to validate user uploaded images within an application?

• Why should I restrict the content type of files be uploaded to my site?

• How to defend vs. Image Remote File Inclusion, e.g. RFI using a .gif file (Apache/PHP)?

• Is it possible to inject HTML into image to provoke XSS?

Check them out -- you'll find a wealth of great information there!

Answer 4

Uploading Security:

1. Secure code:

   • You should verify the extension by using white-list (.jpg, .png,.doc ...). Don't use black-list (.php, .aspx ...)
   • Don't trust mime type, which is sent by user.
   • Avoid malicious file names by changing the name to a new random name eg: New file name = prefix_MD5(file name).extension
   • Re-size all images.

2. Config server:

   • Disable execution of scripts in your destination directory
   • Set your upload directory out of website directory eg: Website root path: /home/user/public_html/ upload directory: /home/user/upload_dir/ So, hacker can't access malicious uploaded file directly.