how to make jpg uploads safe? [PHP]

Status
Not open for further replies.

Icecube

Up 24h/day
Mar 14, 2007
1,169
9
0
Europe
I have an upload form where users are supposed to upload images
no need to say an asshole uploaded some kind of shit and hacked my page

how do I make a photo upload safe?

I'm already checking that the extension is among the enabled ones (currently 'image/gif', 'image/jpg', 'image/jpeg', 'image/png')
I'm checking for the file size to be bigger than 0

what else should I do?

I think they're uploading a fucked jpg image with some weird shit in it

I've heard several times of jpg vulnerabilities but I can't find anything useful on google :|

any idea?
 


Can you explain more specifically how they 'hacked' your page?

You could simply set permissions on the upload folder to not be able to 'execute'. Jpegs should not be able to run any code in it period. The only instance of this happening was with microsoft's preview on XP/Vista. But those vulnerability would have jack-shit effect on a *nix server or IIS server.

It sounds like they might have simply been able to upload a .php, or other script, and was able to execute it from the upload path. (turning off execute permission [ie: chmod] for that folder would solve that).
 
  • Like
Reactions: Icecube
hacked = uploaded some kind of jpg file that when viewed (hence executed as you suggest) created a php file which was a web file manager. (I don't allow files that have other extensions such as php to be uploaded and found php files in there, created at the same time of the jpg files...)

The asshole could then navigate and upload everything wherever he wanted :D

thank you for the suggestion, I chmod the dir to 744 so now images can't be executed

I hadn't thought about the easiest thing ;)

+rep for the quick help
 
It's not going to get "executed" as php if it doesn't have a file extension that php will parse. but you could do something like...

Code:
if(@imagecreatefromstring($uploadedimagestring)) {
//good image
}else {
//badimage
}
note: the @ is to prevent it from throwing an error if it is an invalid image.
 
It's not going to get "executed" as php if it doesn't have a file extension that php will parse. but you could do something like...

Code:
if(@imagecreatefromstring($uploadedimagestring)) {
//good image
}else {
//badimage
}
note: the @ is to prevent it from throwing an error if it is an invalid image.

Thus why I am thinking that even though he says he's blocked anything other than jpg/jpeg/gif/png, that perhaps maybe his filter isn't actually working.

PS on the code Above : You need the GD extension installed for that to work. Also it may be a tad reasource heavy if it gets used often. Also you want to actually create a hook to it so that you can discard of the newly created image if it does indeed work so you don't end up creating a memory leak.
 
Here is what I do --

1. Check if the file is actually an image by using getimagesize().
2. Move the file into a unique folder.
3. Rename the file with a SHA1 of the original file name.
4. Make sure that the only file which is uploaded has valid extension.
 
Seems like overkill to actually have to check to see if the image is real and to be hashing its name and all that.

Honestly the best way to do it is to upload the content into a folder outside of the web-root, and set non-executable permissions. This way even if someone managed to push up a php file... how they hell they going to run it when it's both outside of the web executable area, and doesn't have execute permission. Would be a lot less CPU intensive over time than checking and hashing.
 
Status
Not open for further replies.