0

I have an ASP.NET web application that allows the user to upload a file from his PC to a SQL Server database (which is later used to generate an image for an tag). Is there an "easy" way to test the image within .NET to validate that it does not contain anything malicious before saving it?

Right now, I use this:

    MemoryStream F = new MemoryStream();
    Bitmap TestBitmap = new Bitmap(Filename);
    TestBitmap.Save(F, System.Drawing.Imaging.ImageFormat.Png);
    int PhotoSize = (int)F.Length;
    Photo = new byte[PhotoSize];
    F.Seek(0, SeekOrigin.Begin);
    int BytesRead = F.Read(Photo, 0, PhotoSize);
    F.Close();

Creating TestBitmap fails if it is not an image (e.g. if Filename is the name of a text file), but apparently this doesn't stop a file that is an image with malicious code appended to it from loading as an image, so saving it as a MemoryStream and then writing the stream to a byte array (which is later saved in the database) supposedly fixes this.

Don Del Grande
  • 411
  • 6
  • 20

1 Answers1

0

To avoid people pass programs and other information's using the ability to upload photos to your site you can do two main steps.

  1. Read and save again the image with your code to remove anything elst.
  2. Limit the size of each image to a logical number.

To avoid some one upload bad code and run it on your server you keep an isolate folder with out permission to run anything. More information's about that on:

I've been hacked. Evil aspx file uploaded called AspxSpy. They're still trying. Help me trap them‼

And a general topic on the same subject: Preparing an ASP.Net website for penetration testing

Community
  • 1
  • 1
Aristos
  • 66,005
  • 16
  • 114
  • 150