Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 8 of 8

Thread: Image safety.

  1. #1
    New Coder
    Join Date
    Sep 2007
    Location
    US
    Posts
    88
    Thanks
    4
    Thanked 4 Times in 4 Posts

    Image safety.

    Okay, so I've got a script to write but a concern that i can't figure out.

    I'm writing an image upload script but want to make sure that the images uploaded don't have a Trojan in them. There has been word of jpeg images especially that are the cause of this.

    So, is there some kind of image scrubbing php module or script that I need to ensure that the pictures are bug free?

    FYI, this system will use the imagemagic extension of php.

    Thanks for the help all.
    I need to find a book about all this stuff. God, thats gonna be one big book!

    http://www.gamezftw.com
    Play On!

  • #2
    Super Moderator Inigoesdr's Avatar
    Join Date
    Mar 2007
    Location
    Florida, USA
    Posts
    3,647
    Thanks
    2
    Thanked 406 Times in 398 Posts
    You can use getimagesize() to start with, or the Imagick identifyimage function.

  • #3
    New Coder
    Join Date
    Sep 2007
    Location
    US
    Posts
    88
    Thanks
    4
    Thanked 4 Times in 4 Posts
    I'm sorry, I still really don't under stand it all. Those functions will verify that the jpeg image is just a jpeg?
    Sorry for the bother, and thanks for the help.
    I need to find a book about all this stuff. God, thats gonna be one big book!

    http://www.gamezftw.com
    Play On!

  • #4
    Super Moderator
    Join Date
    May 2002
    Location
    Perth Australia
    Posts
    4,040
    Thanks
    10
    Thanked 92 Times in 90 Posts
    you will need to do a scan with whatever antivirus is available on your server, many linux hosts will have clamav or similar which can be exec()'d
    resistance is...

    MVC is the current buzz in web application architectures. It comes from event-driven desktop application design and doesn't fit into web application design very well. But luckily nobody really knows what MVC means, so we can call our presentation layer separation mechanism MVC and move on. (Rasmus Lerdorf)

  • #5
    New Coder
    Join Date
    Sep 2007
    Location
    US
    Posts
    88
    Thanks
    4
    Thanked 4 Times in 4 Posts
    Damn, I don't think my go daddy host has an anti virus scanner.
    Thus fare they've told me that they have none of the many things i'd consider key for truly robust websites.
    I need to find a book about all this stuff. God, thats gonna be one big book!

    http://www.gamezftw.com
    Play On!

  • #6
    Senior Coder CFMaBiSmAd's Avatar
    Join Date
    Oct 2006
    Location
    Denver, Colorado USA
    Posts
    3,043
    Thanks
    2
    Thanked 316 Times in 308 Posts
    You might want to check out the link in post #2 in this thread - Basic Code

    It is possible for a file to contain a valid image AND contain php code. The image content prior to the <?php tag is simply content that php would output, then the php code would be parsed and executed. There are some conditions that must be true for this exploit to be possible, such as allowing an upload file name to be completely specified from the upload form, so that such an image/php code file could be placed on the server with a file name that could be browsed to and be parsed as php code.

    The various image functions (getimagesize and imagecreatefromjpeg...) will find and happily return the image portion of such an image/php code file.

    Since an image would not normally contain data that looks like php code, this type of exploit could be discovered by scanning the file for php only keywords that would be used by malicious code, such as <? exec shell echo print print_r...
    If you are learning PHP, developing PHP code, or debugging PHP code, do yourself a favor and check your web server log for errors and/or turn on full PHP error reporting in php.ini or in a .htaccess file to get PHP to help you.

  • #7
    Regular Coder dniwebdesign's Avatar
    Join Date
    Dec 2003
    Location
    Carrot River, Saskatchewan
    Posts
    845
    Thanks
    15
    Thanked 10 Times in 10 Posts
    If you use the getimagesize(), check the file type of the file being uploaded it should narrow down the field of what files are uploaded.

    Also if you expect the images to be a certain size you can also limit the size of the uploads.

    Otherwise, the virus scanner is your best bet, but if you don't have that, you have to do a detailed check on every part of the file to make sure it is a jpeg file.
    Dawson Irvine
    CEO - DNI Web Design
    http://www.dniwebdesign.com

  • #8
    New Coder
    Join Date
    Sep 2007
    Location
    US
    Posts
    88
    Thanks
    4
    Thanked 4 Times in 4 Posts
    Wow, thanks guys, I've learned a bit in the past few minutes.
    I still have one question, now that i know that the image can be more than just binary or hex, how exactly do i extract the file into a readable format?

    Or am i just asking a pointless question on this one.
    Thus i would only have to use some thing like this:
    PHP Code:
    <?php
    if($_FILE['imagefile']['name']=='<?php' || $_FILE['imagefile']['name']== '<?')
    {
    // Either parse with imagecreatefromjpeg or throw out and ask for another file.
    }
    ?>
    I need to find a book about all this stuff. God, thats gonna be one big book!

    http://www.gamezftw.com
    Play On!


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •