IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [file-types]

51 questions
28
votes
3 answers

How can I be protected from pictures vulnerabilities?

I've just read this question What is the corrupted image vulnerability? How does it work? (GIFAR, EXIF data with javascript, etc..) I'm asking myself how can I protect myself and my website's users. My users are allowed to upload their own images…
xun
  • 383
  • 1
  • 3
  • 6
24
votes
4 answers

What is the corrupted image vulnerability? How does it work?

What exactly happens when someone injects malicious binary code into an image file (on Windows)? How is that done?
Moshe
  • 1,721
  • 3
  • 16
  • 22
21
votes
4 answers

Is VLC on Linux vulnerable to an attack from .wmv files designed to install viruses?

I was stupid and did not check a video file I downloaded from an untrustworthy source. It was .wmv file with no readable properties of the video. I know that .wmv videos can download viruses. What I don't know is if they can do this to VLC on Linux…
user
  • 817
  • 10
  • 16
19
votes
4 answers

Is it safe to store and replay user-provided mime types?

If a user uploads a file but modifies the request by setting the mime-type to something arbitrary, like "superdangerous/blackhatstuff", is it safe for me to send the same mime type back to a different user later on? I.e. another user downloads the…
Mark E. Haase
  • 1,902
  • 2
  • 15
  • 24
18
votes
6 answers

Is there a way to check the filetype of a file uploaded using PHP?

I don't want it to just check the extension of the file as these can easily be forged even MIME types can be forged using tools like TamperData. So is there a better way to check file types in PHP ?
Grim Reaper
  • 518
  • 1
  • 4
  • 14
17
votes
3 answers

Using file extension and MIME type (as output by file -i -b) combination to determine unsafe files?

We allow users to upload a number of files, all of which we either send over to scribd (doc, xls, ppts, etc) or display as a video ourselves (flv, mov, mp4, etc in flowplayer). To avoid users uploading unsafe files, we check against a set of known…
siliconpi
  • 1,087
  • 1
  • 10
  • 20
15
votes
8 answers

Is it possible to prevent a file type from being determined in a Linux system?

I have several files on my Ubuntu system, which are LUKS encrypted partitions. For my own shame up to this day I thought that simply changing binary file's extension will be enough to hide what a file really is. I.e. if I rename my LUKS partition…
Dmitry Koroliov
  • 281
  • 1
  • 7
13
votes
1 answer

What are the security risks associated with PDF files?

What are the security risks associated with PDF files? There is, of course, the general risk associated with any type of file: that whatever application is used to read it will have a bug that can be exploited by certain byte sequences within the…
RockPaperLz- Mask it or Casket
  • 3,114
  • 21
  • 50
13
votes
1 answer

Which files are more insecure than others?

Regarding the fact (in case it's not always the proven fact, then an opinion) that there are types of files more safe for handling them after getting from the Internet than the other, I'd like to ask: Which files are more insecure than others in…
rem
  • 2,017
  • 2
  • 19
  • 27
10
votes
4 answers

Making a Blacklist of filetypes to protect PHP application

I'm working in a PHP system where the user can upload files. I'm trying to protect the system from malicious codes, so I'm thinking about some type of blacklist of files that I've to block from upload. I know that a Whitelist is better than a…
James
  • 265
  • 2
  • 9
9
votes
3 answers

How to open a file from the Internet in a secure way?

Sometimes I have to open files (doc, zip, txt, pdf and some other) downloaded from the Internet (from unproven sites) on my computer. How could I mitigate the risk and open them in a more or less secure way? What types of files are more insecure…
rem
  • 2,017
  • 2
  • 19
  • 27
9
votes
2 answers

Why should I restrict the content type of files be uploaded to my site?

We are building an application where users can upload resumes in our system for our administrators to download. We are having a debate about restricting the content type of the files that can be uploaded. I'm having a hard time piecing together…
Andy
  • 505
  • 2
  • 5
  • 11
8
votes
5 answers

Using PDF instead of doc(x) or html: safer?

Similar to the recent question about why we lock our computer, many people send documents as PDF file instead of a doc or html page because it would protect editing the document. And yes, it does add some value because you're making it less easy to…
Luc
  • 31,973
  • 8
  • 71
  • 135
8
votes
5 answers

How should I serve untrusted / unsanitized documents (PDF, DOC, XLS) to end users over the web?

My website will be hosting documents for end users and I would like to make this as secure as possible. Question Assuming that I have a need to share documents on a website that may contain hostile code, what should I do to protect myself and my end…
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
5
votes
2 answers

What is the format of an X9.62 key?

RFC8292 contains this gem: The "k" parameter includes an ECDSA public key [FIPS186] in uncompressed form [X9.62] that is encoded using base64url encoding [RFC7515]. There is an example of the use of such a key a bit further down: Authorization:…
Wouter Verhelst
  • 155
  • 1
  • 6
1
2 3 4