[WEB SECURITY] Backdooring Image Files - security notice

John GALLET john.gallet at wanadoo.fr
Sun Dec 17 06:10:43 EST 2006


> gd is okay when handling images,
 
As I stated in my first message, I don't agree, gd resizing test is not
foolproof. It's not rare to have an image that could be correctly resized 
but can't be for example included correctly later on in a pdf because it 
is in fact corrupted. 

> this will protect you from non-images files (plain text, fake mime
> headers, php/asp code "embedded" in the image) but will expose your
> gd engine (hehe)

1) this will not protect me in all cases and 2) yes I know this is 
exactly what I said, if there is a flaw in the lib, we're screwed.

> also from the server side point of view it's important to have user
> submitted contents normalized (think about local file inclusion
> vulnerabilities)

I am really only focused on the contents of the file, but what you state 
here is totally true. 

> if you actually won't to change the image size simply resize it to 95%
> and than to 106%, there is some quality loss but now the data is clean

I am not even sure the copy would be clean, but there are many instances 
where this resizing is not tolerated. You can try it on a copy of the 
file to try to validate it, but not store that.

> a nice extra for your legitimate users is that their images will be
> published without a lot of nasty things like exif metadata/thumbnail
> or "plain" xml(1)

Except that I **need** the exif data for later procesing... And I need it
as exif. I could copy it from the original and add it to the copy, but
anyway it is not tolerable that the original be changed a pixel in the
process if it is a legitimate picture. 

If it's to be put up on a blog, sure, we should even be more drastic, but
if the photo is to be sent to a high quality printer and the client pays
for this service, you just can't modify anything.

JG



----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



More information about the websecurity mailing list