[WEB SECURITY] Backdooring Image Files - security notice
John GALLET
john.gallet at wanadoo.fr
Sun Dec 17 06:10:43 EST 2006
> gd is okay when handling images,
As I stated in my first message, I don't agree, gd resizing test is not
foolproof. It's not rare to have an image that could be correctly resized
but can't be for example included correctly later on in a pdf because it
is in fact corrupted.
> this will protect you from non-images files (plain text, fake mime
> headers, php/asp code "embedded" in the image) but will expose your
> gd engine (hehe)
1) this will not protect me in all cases and 2) yes I know this is
exactly what I said, if there is a flaw in the lib, we're screwed.
> also from the server side point of view it's important to have user
> submitted contents normalized (think about local file inclusion
> vulnerabilities)
I am really only focused on the contents of the file, but what you state
here is totally true.
> if you actually won't to change the image size simply resize it to 95%
> and than to 106%, there is some quality loss but now the data is clean
I am not even sure the copy would be clean, but there are many instances
where this resizing is not tolerated. You can try it on a copy of the
file to try to validate it, but not store that.
> a nice extra for your legitimate users is that their images will be
> published without a lot of nasty things like exif metadata/thumbnail
> or "plain" xml(1)
Except that I **need** the exif data for later procesing... And I need it
as exif. I could copy it from the original and add it to the copy, but
anyway it is not tolerable that the original be changed a pixel in the
process if it is a legitimate picture.
If it's to be put up on a blog, sure, we should even be more drastic, but
if the photo is to be sent to a high quality printer and the client pays
for this service, you just can't modify anything.
JG
----------------------------------------------------------------------------
The Web Security Mailing List:
http://www.webappsec.org/lists/websecurity/
The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
More information about the websecurity
mailing list