[WEB SECURITY] Backdooring Image Files - security notice
John GALLET
john.gallet at wanadoo.fr
Sat Dec 16 05:40:02 EST 2006
Hi there,
> I will be brief. There is a rather lame/concerning technique, most of
> you know about, that allows JavaScript to be executed upon visiting an
> image file. This issue is not due to some browser error, although
> clearly IE has some issues with it, but it is due to web applications
> not sanitizing user supplied content in a form of links.
I totally agree about the cause, but I have serious doubts about the
possibility of sanitizing in all cases.
Say we take a valid image and/or movie and add bad things at the end, if
needed modifying a checksum or size where needed.
- checking client-provided whatever (mime-type, etc.) is useless by
design. So we must rely on analyzing the would-be-corrupted file by its
contents alone. Anyway it would be the same question for a client-side app
that would be supposed to validate the input file before upload
(picasa.google.com style for example).
- the "file" unix command is not foolproof and from I recall only looks at
the header and such.
- reading and resizing the image with GD lib is not foolproof either and
can lead to other leaks as the checking lib itself can have flaws.
So it might be more of a "security-basics" mailing list question, but
since you bring the topic : what method(s) can really be used to sanitize
binary data such as images ? Or zipped files or whatever non text.
TIA
JG
----------------------------------------------------------------------------
The Web Security Mailing List:
http://www.webappsec.org/lists/websecurity/
The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
More information about the websecurity
mailing list