0

After reading a lot of articles. I would say, so what should I actually do to secure my site from hack attempts via the file upload?

From these links:

  1. This link says that MIME IS USELESS and that EXTENSION IS THE WAY TO GO. But in the end the 2 parties are just arguing and if I'm correct BOTH agreed to say that both MIME or EXTENSION has a security hole. A lot of hate over there.

  2. This link agrees to say that MIME is also useless AND EXTENSION is also just not FOOL PROOF as HTML or JAVASCRIPT code can be inserted in a GIF image file (or others) and can be misinterpreted by IE leading to a quick backdoor entrance for malicious code(I really wish everyone would just vote to stop the use of IE. Its like it was made to use as a hacking browser.)

  3. This link says to give the file a NON-EXECUTABLE PERMISSION so that no-matter what it is it wont run (but would this protect us from xss/html/javascript/etc. embedded in the images like the one mentioned in the 2nd statement? If giving the file a non-executable permission would protect us from those embedded threats. Would it also protect us from other threats? Are there other forms of hack that can bypass this approach?)

  4. And then there's this link that says "Re-process the image" other methods are just "fun boring for hackers.". Which is kind of in a way a solid way of identifying if the IMAGE is an IMAGE(IMO, cause imagick wont convert a non image right? Not sure. Haven't dive into it yet. Looked deep).

So what is the best and secure way to protect our sites from file upload threats?

If we check for all:

  • VALID MIME TYPE
  • VALID EXTENSION
  • GETIMAGESIZE() CHECK
  • ENSURE NON-EXECUTABLE PERMISSIONS
  • REPROCESS THE IMAGE

Would that be enough? For a SAFE SECURE Image File Upload?

Community
  • 1
  • 1
Jo E.
  • 7,822
  • 14
  • 58
  • 94
  • 1
    Yes, 4 is bullet-proof, if implemented correctly. it is not for identifying if the IMAGE though but for stripping out all the extra data from the image file. Other 3 are rubbish, especially 3rd one. – Your Common Sense Mar 20 '13 at 12:17
  • So in terms of safety 4 would be enough? Whats your take on #5? Any suggestions on how to achieve #4? Because I have no idea where to start with that one. @YourCommonSense – Jo E. Mar 20 '13 at 12:20
  • 1
    You have forgotten to put uploaded files outside of web root, and instead of allowing user direct access to the file, proxy it to the user with a passthru script – Lawrence Cherone Mar 20 '13 at 12:25

1 Answers1

1
  1. mime-type is easy to fake, file extension is easier to fake. Use them if you need a clue on what the file type is, assuming the user is a good guy. Don't rely on it.
  2. My point exactly
  3. Give the file non executable permissions is a good idea. It is useless from a web security point of view. Are your .php files executables? No. Are they still processed by the web server? Yes.
  4. This is the way to go. Open the file with imagick for example. If imagick complains about the file format, then don't keep it.
Tchoupi
  • 14,560
  • 5
  • 37
  • 71