PHP File Upload Workaround for Recent Flash Vulnerability

views:

101

answers:

+1 Q:

PHP File Upload Workaround for Recent Flash Vulnerability

There was a recent Flash vulnerability found that allows for the potential of malicious attacks when someone uploads a flash file or a file embedded with flash (for example, a gif overloaded).

According to the article, even a simple image can be hijacked.

In php, the typical ways of checking a file type are by extension, and by mime-type.

Using the simple example of an image, how would php properly vet a file (as is recommended in the article). Mime types can be spoofed, as can extension, and if the file is piggy-backed, what is the workaround?

Look for the SWF header.

Better still, look for the bona fides of the file type you expect the resource to be. In other words if the extension and mime type tell you it's supposed to be a JPEG image, and you confirm that you allow that type of file, look for the JPEG header.

Ewan Todd 2009-11-14 21:05:22

However, the article says that a gif file can have the flash file appended to it, and still be valid with the header. It is that case that I am concerned about.

Cryophallion 2009-11-14 21:11:57

OK, then you disallow gifs that contain swfs. The first point is that all of these formats, including hybrid variants, have characteristics that you can test for. I suggested the file header, but you can use stronger characteristics than that. You can treat file extension and mime type as hints rather than definitive characteristics. The second point is that it is simpler to confirm that an item truly is of a type that is on your white list than it is to determine that it is not any of the items on your black list.

Ewan Todd 2009-11-14 21:38:48

Fair enough. Any idea how I would do this in php?

Cryophallion 2009-11-15 01:14:47

+1 A:

You'd need to validate the whole data into the file, for the case of the image: meaning you need to open the image, see if is a valid type, recognize all chunks of data corresponding to file type, and remove the rest if any.

One option would be using GD to re-save your image, or trial and error removing bytes at the end of file and see if the image is still valid (again, using GD). Of course, you'd may try to validate those files that you think are suspicious, like if you detect the SWF header (or all, if you feel like going paranoic).

Ast Derek 2009-11-14 21:30:50

That was my original thought (try to scale the file to itself and re-save, or force a conversion to png for example). However, that would be rather intensive on all incoming gifs, etc. Do you know how to check for the header in php?

Cryophallion 2009-11-15 01:16:44

Filter just the images that contain the SWF header, remove the SWF part (from SWF header and beyond) and try to open the file using GD. If the file is valid, accept it, otherwise reject the file

Ast Derek 2009-11-15 02:23:42

Oh, to check the header, open the file as binary, and look for the string FWS (uncompressed SWF) or CWF (compressed SWF). If the image fails to be opened without the SWF and rest of bytes, then those may be part of the file, but it'd be safer to reject it

Ast Derek 2009-11-15 02:26:24

ansaurus

tags:

views:

answers:

PHP File Upload Workaround for Recent Flash Vulnerability

related questions