ansaurus

Question

Answer 1

+1 A:

Another thing to worry about is that you can easily embed PHP code inside an image and upload that most of the time. The only thing an attack would then have to be able to do is find a way to include the image. (Only the PHP code will get executed, the rest is just echoed). Check the MIME-type won't help you with this because the attacker can easily just upload an image with the correct first few bytes, followed by arbitrary PHP code. (The same is somewhat true for HTML and Javascript code).

Jasper Bekkers 2008-10-27 19:03:22

I'm not letting users upload images. Users are only allowed to link to images on other sites for reasons such as what you mentioned.

Dan Herbert 2008-10-27 19:06:53

Wouldn't a simple filename filter prevent this?

AaronSieb 2008-10-27 19:44:13

@AaronSieb, no because you could, for example, embed PHP code in a GIF pallet and upload a perfectly valid GIF image with the correct filetype and mime type. Problem is, as long as I can manipulate the website to do include("my_uploaded_gif.gif") you're in trouble. Also, the watch the %00 thing.

Jasper Bekkers 2008-10-27 20:04:58

That should've said filename.

Jasper Bekkers 2008-10-27 20:05:50

I guess I don't know enough about PHP :) If you have enough access to do execute the include("my_uploaded_gif.gif") statement, why would you need to embed the malicious code in the GIF in the first place?

AaronSieb 2008-10-27 20:49:55

Having someone that does include($_GET['p] . '.php') is enough to include arbitrary files (index.php?p=some_image.gif%00 or whatever). Uploading them as an image is one way to get those files on the server.

Jasper Bekkers 2008-10-27 21:28:37

Answer 2

+1 A:

In that case, look at the context around it: do users only supply a URL? In that case it's fine to just validate the URLs semantics and MIME-type. If the user also gets to input tags of some sort you'll have to make sure that they are not manipulatable to do anything other then display images.

Jasper Bekkers 2008-10-27 19:38:34

Answer 3

+1 A:

If the end-viewer is in a password protected area and you're using RESTful Urls, it's possible to request a Url on their behalf. Example:

src="http://yoursite.com/users/1234/delete"

or even if you're not using Restful Urls:

src="http://yoursite.com/pagethatdoessomething.xxx?vars=badvars"

Corbin March 2008-10-28 05:25:47

Would I really be vulnerable to that? My Regex only allows http/https at the start of the URL, so Javascript (or any encoding of it) shouldn't be able to get through, or am I wrong?

Dan Herbert 2008-10-28 10:35:19

Whoops, forgot about the 'https?://'. I'll edit my answer.

Corbin March 2008-10-28 16:03:02

ansaurus

tags:

views:

answers:

Cross-site scripting from an Image

related questions