I have a CakePHP application that allows users to upload images. I am currently using version 2.
My concerned that hackers could embed code in the images and that code then being executed on the server.
Does anybody know if using the image validation methods used on the CakePHP documentation includes security checks for this?
Here is a link that may exaplin better what I am asking.
PHP image upload security check list
Thanks in advance
You may want to first properly elaborate the situation you are concerned about, like, how would code embedded in an image be executed on the server? What kind of code would that be? What does the server / the application do with these images? Just moving them in the filesystem certainly won't do anything, no matter the files content.
CakePHP does not ship with any validation functionality that would check for the integrity/validity of binary image data. Possibly image related validation methods like Validation::mimeType() only do very basic file header checks via PHPs finfo_* or mime_content_type function.
Even if CakePHP would validate the image data structure, people could still embed all kinds of stuff via metadata for example, so if someone managed to include an image in the right context, possibly embedded code could be executed.
As mentioned initially, assess the threat first, then figure the proper defense mechanisms. If you need more security than CakePHPs built-in validation provides, then you'll probably have to process the image and ditch/filter metadata. However, even that may be exploited, properly crafted PNG IDAT chunks for example may even survive processes like resizing/resampling:
https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/
Related
I'm working on a portal that requires users to upload the images which wil be shown in a certain HTML pages. What should be the good practice here ?
Should I avoid uploading and ask users to give their own URL for the images ?
Ask users to upload image files.
Since we know, an image can be a deadly one if it contains code injection, but what about the remote ones, are they secure ?
Thanks
It depends on your website consistency. Uploading is much better than entering URL for example if the targeted audience is a professional clients they would prefer uploading as it would be difficult to explain to them what is a remote url and how to get it. But uploading is a more traditional way and feels more easy.
On the other hand if most of your targeted audience is internet users then there might be no need to give upload option. But as I said uploading feels much more natural and easy to users. It also depends on the type of images, if the images are the user's avatar then uploading would fit and if the users are adding images to your website to only share images they found from other websites then remote url would be more appropriate.
Both uploading and fetching remote ones to your server could be deadly, but if you use remote ones just to store the urls in your database then it will create no security problem.
So if you want upload feature or storing the remote images to your server you must do some certain steps to ensure the security of your server:
Verify the file extension and mime to be of valid image. (Don't rely only on this.)
Verify it's a valid image file (using php getimagesize)
Resize and copy the image into a new image object. And store that image into your server.
The folder where you are going to store must have all kinds of code executions disabled by using .htaccess (SetHandler default-handler)
Well, it depends on the nature of the project.
In fact any method could be fine, but you should validate and filter the user input.
There is a lot of options to validate a file if it is an image or not.
The getimagesize() function from php could be mentioned as an example, since every image file has to have a resolution and other relevant data.
There are other questions on SO here which answer yours too, you just need to take a look.
Validate image file php
In addition to Ghulam Ali's suggestions:
Make sure to sanitise the filenames. Best is to generate new filenames for user uploaded media.
Have the upload directory with only writable user permissions but that might lead to some complications.
Apart from tackling the security issues, you will also need to figure other important stuff such as orientation as media taken from a mobile device may have random orientations.
I've created a CMS system that grabs website source code from FTP addresses and uploads it to the current server. The issue with this is I don't want to be uploading dangerous code that can control my server.
Is there any tried and tested functions that already exist to filter PHP code for malicious code?
Thanks in advance.
The issue with this is I don't want to be uploading dangerous code that can control my server.
Then don't do this. There is no 100% reliable way to exclude the possibility that code is malicious in some way.
That said, there is a list of exploitable PHP functions here on SO. But in your case, I'd still say - if you can't trust the code you are uploading, don't upload it. Find another way to do what you need to do.
I am (still) attempting to upload large files <200mb via a html form using php.
During my research into this I have come across the term "chunking", I understand that this process can break the file into handy sizes such as 5mb and reassemble them into the full file at the server side.
My problem seems to be where I can begin? I seem unable to find the correct resources by googling (Or perhaps I'm suffering from not knowing which terms to search for).
So what I'm hoping for today is a chance to educate myself with the basics, a direction in which to look would be very helpful. I don't really want to download a plug-in or anything like that, I would prefer to learn by experimentation.
EDIT to add: Although the two answers below would appear to be correct, this takes me into the realm of stuff that I can't do as a designer...If anyone reading this can suggest a different approach I would appreciate it.
Web browsers do not split uploads into chunks. For this you'll have to use your own "chunking" client: a Flash program or a Java applet.
You can take a look at JUpload. There are also examples in the wiki.
From SourceForge :
Multiple File Upload Applet (JUpload) takes care of the limitation posed by traditional HTML upload forms by allowing you to upload a whole directory and the files within it with a single click. Optionally, it allows simple picture management.
I'm talking about user uploaded images. These images might be unsafe and may even contain scripts and such. I was told that as long as I don't execute the image, I should be fine. What exactly counts as executing an image? If the user uploads a .png and I need to convert it to .jpg first before displaying it, does this conversion count as executing the image.
If you e.g. use some library to work with the library, then the only way for that to be a security risk is an issue with the library itself. E.g. if there is a buffer overflow security issue in the library, a mere process of reading the image could potentially make it execute the code conveniently hidden in the image (i.e. image would not be the image anymore, it will be turned into code).
If you use standard libraries, chances for such security holes are rather slim. Not zero, though, but I guess you would have to live either with that or not looking at any digital picture in your life again.
Provided that the tool used to convert the image isn't vulnerable to any exploits, the act of converting it does not involve executing it.
You can trust the image conversion process if you like, but as others have said, the risk exists that simply processing the data could leave you vulnerable. You can take other steps to isolate the image processing step if it is critical.
You could put that step on a separate machine, so that a compromise doesn't put the malicious code on the server communicating with the public. You could also run that process as another user, so that an exploit would have to escalate privileges in order to compromise your service.
I am building a Flash AS3 application that allows users to modify images, and then submit-save them to a server.
The user will then have the ability to log in and access these saved images in a thumbnail gallery. They can either delete an image or click a thumbnail to view it at original size.
I am comfortable with the front end having built something similar in AS2 and Flash 8 a few years back.
What will be required for the backend?
I assume some type of PHP-MySQL database is needed. Not sure about hosting issues requirements as the AS2 application I built never sent any actual binary data, but rather data describing the image transformations. I assume I will need to make use of byteArray?
Is there an existing tutorial or code sample that does something similar available for viewing-download?
Are there any security restriction 'gotchas' associated with FP9 -10 I need to be aware of?
the most simple way is to create the image in the client ... get a BitmapData snapshot of the image using BitmapData::draw ... convert this to JPEG or PNG using the as3corelib, that offers encoders for both formats ... and then just send the raw binary data to the server (store it into the data property of your URLRequest) and there, store it to the file system (retrieve it in $HTTP_RAW_POST_DATA) ... so the whole storage process is just a couple of lines ...
you will need a database of course, for session management (you could rely on PHPSESSION only, but personally i don't trust it), login, registration and to store which image belongs to which user ...
so yeah, the whole netcode/backend/storage thing etc. will be quite a piece of cake (btw. you might wanna look into amfphp) ... designing a good interface and implementing the galery view etc. will be the biggest chunk i guess ...
there are no real security gotchas, as long as your SWF comes from the same server, that it communicates to ...
so good luck then ... ;)
greetz
back2dos
If you are on a shared host, php and mysql are probably already available to you, that is a good way to get started.
In terms of flash communicating with the server, you will have to find a way to turn your pictures into a stream of bytes (byteArray sure), and then use flash's send() to post them to the server. Sending XML Out From Flash
Using php you can receive the images and save them to the db, and show them (turn the stream of bytes back into an image with gd -- gd docs)
Also: you may not ever have to send a stream of bytes if you can find a way to have flash describe the transformations, and have gd repeat them, just a thought.
Are there any security restriction 'gotchas' associated with FP9 -10 I need to be aware of?
Maybe, if you are posting data to a different server, you have to enable it with some xml Send data from Flash to PHP on a different server