[WEB SECURITY] Backdooring Image Files - security notice

ascii ascii at katamail.com
Sat Dec 16 22:18:53 EST 2006


John GALLET wrote:
> So it might be more of a "security-basics" mailing list question, but 
> since you bring the topic : what method(s) can really be used to sanitize 
> binary data such as images ? Or zipped files or whatever non text.

gd is okay when handling images, simply don't relay on mime detection:
resize the image and stop : ) this means that you have to host the file
as you can't trust 3rd party files

this will protect you from non-images files (plain text, fake mime
headers, php/asp code "embedded" in the image) but will expose your
gd engine (hehe)

also from the server side point of view it's important to have user
submitted contents normalized (think about local file inclusion
vulnerabilities)

if you actually won't to change the image size simply resize it to 95%
and than to 106%, there is some quality loss but now the data is clean

a nice extra for your legitimate users is that their images will be
published without a lot of nasty things like exif metadata/thumbnail
or "plain" xml(1)

resize the image will not remove watermarks anyway

regards,
Francesco 'ascii' Ongaro
http://www.ush.it/

(1) http://phpfi.com/185392

----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



More information about the websecurity mailing list