[WEB SECURITY] Serverside Virus Scan

Bil Corry bil at corry.biz
Sat May 3 09:44:30 EDT 2008

rajat karnwal wrote on 5/2/2008 5:43 PM:
> So requirement is to check extension spoofing and
> virus scanning before this file can be stored in
> database. I am in a stage where I have to make a
> design decision how this can be achived.

You might be able to use "file" to determine the type of file, independent of the mime type or extension:


And FWIW, pdp has written about various attack vectors with uploaded files:


One of my favorites is his "Cross-site File Upload Attacks" -- you can't implicitly trust content even from yourself:


All that said, I too would be interested in a "Best Practices" guide for validating uploaded files, including recommended tools.

- Bil 

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

More information about the websecurity mailing list