[WEB SECURITY] Backdooring Image Files - security notice

John GALLET john.gallet at wanadoo.fr
Sat Dec 16 05:40:02 EST 2006

Hi there,

> I will be brief. There is a rather lame/concerning technique, most of
> you know about, that allows JavaScript to be executed upon visiting an
> image file. This issue is not due to some browser error, although
> clearly IE has some issues with it, but it is due to web applications
> not sanitizing user supplied content in a form of links.

I totally agree about the cause, but I have serious doubts about the 
possibility of sanitizing in all cases. 

Say we take a valid image and/or movie and add bad things at the end, if 
needed modifying a checksum or size where needed.

- checking client-provided whatever (mime-type, etc.) is useless by 
design. So we must rely on analyzing the would-be-corrupted file by its 
contents alone. Anyway it would be the same question for a client-side app 
that would be supposed to validate the input file before upload 
(picasa.google.com style for example).

- the "file" unix command is not foolproof and from I recall only looks at 
the header and such. 

- reading and resizing the image with GD lib is not foolproof either and 
can lead to other leaks as the checking lib itself can have flaws. 

So it might be more of a "security-basics" mailing list question, but 
since you bring the topic : what method(s) can really be used to sanitize 
binary data such as images ? Or zipped files or whatever non text.


The Web Security Mailing List: 

The Web Security Mailing List Archives: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

More information about the websecurity mailing list