Best way to avoid attack by image update?

Asked

Viewed 64 times

2

What’s the best way to avoid an image attack? The attacker adds malicious code to the image and updates it to the server and executes the code as if it were an image, how to avoid this type of attack?

  • With the function getimagesize that determines the size of an image. In case it is an invalid image or a file that disguises itself as an image, this function will return false and generate an error. However, it is more appropriate to use other techniques also in addition to this.

  • You can limit the type of file extension that can be sent (Limit File Type). https://www.w3schools.com/php/php_file_upload.asp

  • Well people my script already use the two forms and even so the camouflaged file goes unnoticed, I created a php script and renamed as . jpg and update and the script updates normally.

  • update but does not perform because it will be an invalid JPG.

2 answers

0

Behold: https://www.verot.net/php_class_upload.htm

This class specializes in handling PHP uploads, so you can use the image_convert, allowed and Forbidden function before processing the upload:

    $foo->image_convert = format;
    $foo->allowed = array('application/pdf','application/msword', 'image/*');
    $foo->forbidden = array('application/*');

with this you ensure that the upload will be an image.

0

Cara is a delicate subject where in fact we will never be sure until we discover that we have been affected with a new technique, but it is always good to prevent or at least try.

When I started studying, a short time on malicious images, first I sought to know how it would be, how it works, I have not yet done a search the way I would like but I will share what I found...

See how a malicious image works in Javascript HERE

In my thinking with PHP would not be much different.

Searching Google I found a supposed quick solution but without proof that it really works, I will still have to test when more time is left...

Supposed solution in Devmedia HERE

Go forward you assemble your logic or search some scripts that if appropriate your solution.

I always validate the information entered by the user on front-end and back-end, generate notifications/alerts for suspicious actions, because today we are living the era of cyber attacks, is part of the evolution, if you find a solution, please share with us =D.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.