0

I have a CakePHP application that allows users to upload images. I am currently using version 2.

My concerned that hackers could embed code in the images and that code then being executed on the server.

Does anybody know if using the image validation methods used on the CakePHP documentation includes security checks for this?

Here is a link that may exaplin better what I am asking. PHP image upload security check list

Thanks in advance

Community
  • 1
  • 1
David Simpson
  • 3
  • 1

1 Answers1

0

You may want to first properly elaborate the situation you are concerned about, like, how would code embedded in an image be executed on the server? What kind of code would that be? What does the server / the application do with these images? Just moving them in the filesystem certainly won't do anything, no matter the files content.

CakePHP does not ship with any validation functionality that would check for the integrity/validity of binary image data. Possibly image related validation methods like Validation::mimeType() only do very basic file header checks via PHPs finfo_* or mime_content_type function.

Even if CakePHP would validate the image data structure, people could still embed all kinds of stuff via metadata for example, so if someone managed to include an image in the right context, possibly embedded code could be executed.

As mentioned initially, assess the threat first, then figure the proper defense mechanisms. If you need more security than CakePHPs built-in validation provides, then you'll probably have to process the image and ditch/filter metadata. However, even that may be exploited, properly crafted PNG IDAT chunks for example may even survive processes like resizing/resampling:

https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/

ndm
  • 59,784
  • 9
  • 71
  • 110
  • Hi, First off I would link to thank you for taking the time to respond especially with such a detailed reply. As for what code is being executed on the server I am unsure but I have been reading online and I come across a post that mentioned PHP code can be embedded into the headers of the image and once uploaded the code can be executed although I am unsure if this is strictly PHP or if other languages could be used. – David Simpson Mar 17 '17 at 08:29
  • I have a form that allows images to be uploaded to my server on first upload they are placed in the tmp folder then using PHP move_uploaded_file function being moved to another location. I have then another application also built in PHP that displays the images on a webpage. My worry is that if someone manged to embed some PHP code in the headers and that code is then executed when the image is displayed. I am a beginner when it comes to this kind of attack and a point in the right direction would be appreciated. – David Simpson Mar 17 '17 at 08:29
  • @DavidSimpson Unless there are any specific vulnerabilities (for example in the library used for image processing), such embedded code would usually only be executed in case the image would be included into the PHP context (like `include 'image.jpg'`, or if someone manages to control the target filename, and it is publicly accessible, ie if it makes it there as `*.php`). As mentioned, mime type checks, even image type checks (ex `getimagesize()`) can be tricked, so if you need better protection, you'll need to process the image, or look for a library that can do proper image data validation. – ndm Mar 17 '17 at 13:38
  • Brilliant thank you for your responses, you have been very helpful and it is appreciated. – David Simpson Mar 20 '17 at 16:21