we have to implement a feature user profile Image upload in our web application. the user can upload his profile image .
after uploading image it will be saved to DB2 DB .. and it will be rendered only to the user who uploaded the image after the login.
Technology stack -> J2EE , AIX, DB2.
we got a strange complaint from our security department that this feature needs to be dropped because the user may upload a virus and this will infect the server !
I don't understand how a user will upload the virus, at the end of the day the virus is a program that needs to be executed ,right?
second thing the platform is UNIX-AIX ,,, even if user uploaded a malware the server will not be infected , right ?
last thing, there is a possibility that user will be infected by XSS in case a JS file uploaded instead of image, but i can see that this in our case is not valid because only the user can upload the image and it will be rendered only to the user..
Is my understanding is right ?
No, it is actually possible to hide executable code in image files.
And when the user renders the image, it may be possible depending on the server configuration that the code inside the image can be executed.
See for example http://hackaday.com/2014/11/15/hiding-executable-javascript-in-images-that-pass-validation/
And search in google for gif executable, png executable, etc.
I have seen proofs of concepts that allow to run windows executables like this http://www.codeproject.com/Articles/9791/Hiding-EXE-Data-Within-GIF-Data, batch commands and other stuff for linux (even rm -fr *), php code and many others.
You will have to either verify the image or be sure the image is converted to a safe format before it gets rendered.
Related
I have a lot galleries displayed with Lightbox2 and it works fine.
Now I want to delete the larger version of the pictures, but keep the gallery with the thumbnails for visitors.
How can I manage, that lightbox2 displays an alternative image, if the given file in the html is not existing?
I couldn't find an option in lightbox.js to handle with missing targets.
I had the same question, but after a little research I decided that Lightbox2 is not the right place to handle missing images. Instead, that should be handled at the server or application level.
The web server will respond with a 404 error for any missing resource, whether a web page, image, or anything else. In most cases, it also returns a small HTML page to alert the user (such as this example at Google).
You can usually configure your server or application to return a default 404-style image instead of an HTML page if the requested resource was an image. That will then be displayed to the user instead of the broken image symbol.
How you do this of course depends on the particular server/application stack you are using, but here is a good solution for Apache.
If i have a filename for a local file on the computer:
$img = "deskfile:///D%3A%2FSCANS%2F%23AUKT%2Fimg2014%2F2014-06+SP%2FEPSON007.jpg"
how can i upload it the server without using the "file selector"?
If i enter the file adresses in the url window of a browser i can display the image.
But if i load the image in tag they won't display. I've read it's becuse of restrictions in the browser.
I can't add a value caluse to the either.
Is there anyway to upload the image from the string?
Or can i at least open the correct directory in the "file selector" so the user wont have the browse the whole computer when looking for the file?
Yes there is a way. You can use the File API with Html5 and/or a polyfill for this to load the image in the browser before posting it back to the server. The best such polyfill that I know of is called Moxy/Plupload. It includes Flash and Silverlight fallbacks for older browsers.
You can display the image because it is stored locally in your computer. How do you know where is the image going to be in the user's computer. The only way to access the user's file system is through the file selector, once the user has selected a file you can then use any API to save that file in the server on your terms, but you will not be able to see each of your users file system from you page (security reasons). Could you elaborate more in what you are trying to accomplish? What exactly are you trying to do?
I am concerned about the allowing people to upload images to my server. I will be running a site that will allow users to do upload image which are then resized and saved on the server.
However, there is the potential for abuse here because if someone wanted to write a script to constantly bombard my server then not only would I end up with a huge number of images left on my server, but the server would become overloaded from all the resize operations.
This is a process that I was considering:
Image gets uploaded to a "tmp" location
On successful payment, image is resized and moved from "tmp" to the image folder
"tmp" folder cleaned out every night
Is this paranoid, overcomplicated, or does it in fact make perfect sense? Any feedback is appareciated.
Why dont you just include a Captcha or Captcha-Like function. Since scripts can't read images, only humans can complete Captchas.
Check these out:
http://www.captcha.net/
http://webcheatsheet.com/php/create_captcha_protection.php
I am implementing a project to my site to allow users to upload image files (ai, pdf, jpeg, gif, tiff). I know this can be very risky but I was wondering what kind of security checks I should put in place to make sure these files to not cause my site any harm.
OR
Should I use something like dropbox to upload my images? If I do this is it possible to get these images whenever I want so I can display them within the browser to the user?
image uploads are fine, because you know what you want: An image
First rule is never to trust the client, so let the user upload the file (maybe you want to add an upload size limit).
Second, you have to ensure that the image is really an image so
Check the mime-type of the file (don't go by the file extension, use a real mime type check like the file shell command or an appropriate library)
To really make sure the file is OK, Open and Reprocess it using an image library like GD, ImageMagick etc. and save it to disk (keep in mind this needs some resource!). This will also filter out corrupted images.
An uploaded file usually doesn't harm the site itself but the users who download the file.
I've come across with a file uploading part of a project I worked.
Some high-level suggestions to complement sled's answer:
The mime type is set on base of the file extension, so it's no useful (as the file has not been uploaded yet to the server, the mime type is just a 'guess' in base of his extension).
So solutions would be:
Do the content check client-side (before sending the http-request)
When you get the whole file by HTTP do the check server-side before persisting to the disk.
Other Suggestions:
The simple file extension check
(wheter by filename or mime-type) is
the basic secutiry measure that also
has to be present.
Folder permissions: Don't allow execute permissions, don't allow the user to create new folders (as it might create a sub-folder with executing permissions).
I'm trying to find a way of finding out who is downloading what image from an image gallery. Users can download using a button beside the thumbnail or right click and use the "save link as" Is it possible to relate a user session or ID to a "save link as" action from all browsers using either PHP or JavaScript.
Yes, my preferred way of doing this would be via PHP. You'd have to set up a script which would load up the file and send it to the user browser. This script would also be able to log the download somewhere (e.g. your database).
For example - in very rough pseudo-code:
download.php
$file = $_GET['file'];
updateFileCount($file);
header('Content-Type: image/jpeg');
sendFile($file);
Then, you just have your download link point to download.php instead of the actual file. (Note that updateFileCount and sendFile are functions that you would have to provide, of course - this script is an example of a download script which you could use)
Note: I highly recommend avoiding the use of $_GET['file'] to get the whole filename - malicious users could use it to retrieve sensitive files from your web server. But the safe use of PHP downloads is a topic for another question.
You need a gateway script, like ImageDownload.php?picture=me.jpg, or something like that.
That page whould return the image bytes, as well as logging that the image is downloaded.
Because the images being saved are on their computer locally there would be no way to get that kind of information as they have already retrieved the image from your system. Even with javascript the best I know that you could do is to log each time a user presses the second mousebutton using some kind of ajax'y stuff.
I don't really like the idea, but if you wanted to log everytime someone downloaded an image you could host the images inside a flash or java app that made it a requirement to click a download image button. That way the only way for them to get the image without doing that would be to either capture packets as they came into their side or take a screenshot.
Your server access logs should already have the request for the non-thumbnailed version of the file, so you just need to modify the log format to include the sessionid, which I presume you can map back to a user.
I agree strongly with the suggestion put forward by Phill Sacre. For what you are looking for this is the way to go.
It also has the benefit of being potentially able to keep the tracked files out of the direct web path so that they can't be direct linked to.
I use this method in a client site where the images are paid content so must be restricted access.