Security issue?

Question

Security issue?

I am writing a small PHP application and I am not sure if I have a security problem. So this is what the application does:

the user can upload image files (png, gif, jpg, jpeg, tiff and several others) or zip files

I check the mime type and extension, and if this is not allowed, I will not allow the download (this is not the part I'm worried about).

Now, after downloading, I rename the file to a unique hash and save it in a folder outside of root access.

The user can now access the file through a short URL. I make the file accessible by setting the correct mime type for the header, and then just use readfile ().

My question is, does the exploit work here where the jar file is included in the image file? I serve the image as a clean image.

Should this be a way to prevent this?

Thanks.

+3

security php

mistero Sep 28 '09 at 10:18

source share

5 answers

mime , ( ) HTTP . , , - . , , .

+1

Asaph 28 . '09 22:23

:

, , - , . , . , , , .

, . * nix, ClamAV.

, - .

+1

Ben S 28 . '09 22:27

2 . images.domain.com. / , .

java script ( javascript), , . , , .

:

http://www.gnucitizen.org/blog/java-jar-attacks-and-features/

0

Byron Whitlock 28 . '09 22:28

, , , ! , , . , "" , MASKARADAR JAR , , JAR "" (.. ).

, cookie , , .

, , , ( ).

, , - , , . , , , .

0

oggy 28 . '09 23:01

Vinko Vrsalovic · Accepted Answer · 2009-09-28T22:52:45+0000

MIME type checking will not solve the GIFAR problem . 2009 JREs have already been fixed, but if you want to solve the problem, you can

Serve images from another domain
Run the server-side code to check if the image contains a valid JAR, e.g. here

Anything (except for the file in any Java-enabled browser with a fairly old JRE) may not work in certain cases.

, (, , , , .)

Security issue?

More articles: