Security - Image PHP script question...

Jack99uk

Hi all,

I'm using a simple PHP script to automate showing images from a gallery inside a template.

I link to the script thus:

<a href="script.php?wp=images/folder/image1.jpg">click here</a>

And then on script.php

<img src="<? echo $wp ?>" border="0">

Is this a security problem?

I'm aware that I can hi-jack the link to script.php with something like script.php?wp=../../../hack.exe

This would then try to run inside the image tag - is that possible?

Or am I ok?

Many thanks

Jack

ednark

Your script is very insecure... you should not allow total access to your file system through a request like this... it could be abused to if not execute undesireable system commands, to at least get info from places on your filesystem that you had not intended

you can help with the security some by checking the string and altering it before printing this back out into your code.

if you could i would restrict your option to either a fixed list of images to call... or a fixed pattern...

look at the basename() function and some other file system functions

you could create an array( 'img1.png', 'img2.jpg' ) and use the in_array() function to make sure the requested image is allowed and simply set the image to default.gif is any other value is given

or you could remove all characters that may be bad... change all double dots '..' into single dots. perhaps use preg or ereg functions to capture only the file name at the end of the string, thereby skipping any bad option...

One option would be to write an 'image.php' script
look into php's image functions... image.php would return an image instead of an html document

if would look something like this in pseudocode

[pseudocode]
look at request ?file='foo'
does that file exist?
is that file an image?
write the appropriate mime type using header() : Header ('Content-type: image/jpeg');
fopen the file()
fpassthru() the file there by making this php document return all the data in the other.
[/pseudocode]

these are just a bunch of thoughts to get you going... maybe none of them are what you are looking for

Jack99uk

Many thanks Ednark,

The script is used when my client uploads customised images with his own filenames, so I can't really use the fixed names idea.

I like the pseudocode you've given for a solution though - don't suppose you've got a working PHP example? I'm a bit rusty at the moment.

Thanks if anyone can help,

Jack

ednark

you misunderstand.. the point of playing around with the image name is not to change the file.name... that will stay the same, but to adjust the filepath given to that filename

if you find are given ../../../hack.exe
your script would ignore eveything but the file hack.exe
and look for it only in the place
/home/images/hack.exe
and if you have placed a hack.exe file in your image directory you deserve to be hacked.. unless its just a jpeg with the file extension changed 🙂

and no i have no working code but check out php.net and the image_ functions.. some good leads there

Jack99uk

Aah, I got you.

Just had another idea:

What if I hard code '.jpg' into the script, e.g.

<img src="<? echo $wp ?>.jpg" border="0">

Would that help solve the security risk?

Davy

what about gifs? or pngs?

writing file type testing function really isn't hard, honestly. You just lazy :p

<?php

$file = $_GET['wp'];

if (is_file($file))
{
 // is a file
  if (file_exists($file))
  {
  // it exists
    if (mime_content_type($file) == "image/gif" || mime_content_type($file) == "image/png" || mime_content_type($file) == "image/jpg")
    {
    // and is an image ( jpg, gif or png )
    }
    else
    {
    // is not an image
    }
  }
  else
  {
  // does not exist
  }
}
else
{
// is not a file
}

?>

This is grossly untested and I haven't ever used these functions before...I got them straight from php.net's function list -- which is where you should have got them!

I write this post @ 3:15 am GMT so sorry fi I screwed something up in this post...

Jack99uk

Hehe, awesome - thanks Davy. You're right, I was being lazy :-P Mainly because the project's a long time finished and quite over-budget, but also because I was looking for a quick fix!

Muchos thanks for that. :-)

And thanks to ednark too!