Is There A Vulnerability?

Forum Moderators: coopster

Message Too Old, No Replies

Is There A Vulnerability?

PHP Script

boxfan

11:28 pm on Jan 22, 2007 (gmt 0)

header("Content-type: image/jpg");

If I have a PHP script that sets the content-type as above can the header be altered by the user to change the content-type?

eelixduppy

11:32 pm on Jan 22, 2007 (gmt 0)

Not that I know of. :)

boxfan

11:45 pm on Jan 22, 2007 (gmt 0)

Ok, so something like this

$img = $_GET["src"];
header("Content-type: image/jpg");
header("Cache-Control: public, max-age=600000");
header("Expires: Tue, 1 Jan 2008 01:00:00 GMT");
header('Content-length: '.filesize($img));
readfile($img);

should be safe for displaying images? The user can't use a browser to download any other type of file except an image. The user can traverse the directories but still can only download an image.

mcavic

12:05 am on Jan 23, 2007 (gmt 0)

No, I believe that would let them download files of any type. If they're using a browser, it would try to interpret it as a jpeg, but the actual data (php source for example) would be easily available to someone who was deliberately exploiting it.

You should restrict it to directories that are safe, and/or check that the filename ends with .jpg.

eelixduppy

1:56 am on Jan 23, 2007 (gmt 0)

mcavic is correct in that the source would be able to be viewed for any file. You should definitely check the file extensions:


$img = $_GET["src"];
if(![url=http://us2.php.net/manual/en/function.file-exists.php]file_exists[/url]($img)) {
echo 'File does not exist!';
exit;
}
else if([url=http://us2.php.net/manual/en/function.exif-imagetype.php]exif_imagetype[/url]($img)!= 2) {
echo 'Error! Not correct filetype';
exit;
}
header("Content-type: image/jpg");
header("Cache-Control: public, max-age=600000");
header("Expires: Tue, 1 Jan 2008 01:00:00 GMT");
header('Content-length: '.filesize($img));
readfile($img);

Something like that should do. :)

Good luck!

whoisgregg

2:30 pm on Jan 23, 2007 (gmt 0)

To extend eelixduppy's code, I'd also send a 404 header when the file does not exist, and a 403 when it's the wrong file type. It wouldn't be a good thing to leave a script running on your server that can generate an infinite number of non-existant pages.

$img = $_GET["src"]; 
if(!file_exists($img)) { 
header("HTTP/1.0 404 Not Found");
echo 'File does not exist!'; 
exit; 
} 
else if(exif_imagetype($img)!= 2) { 
header("HTTP/1.1 403 Forbidden");
echo 'Error! Not correct filetype'; 
exit; 
}

boxfan

2:49 pm on Jan 23, 2007 (gmt 0)

Thanks everyone for the help with this.

joelgreen

6:24 pm on Jan 24, 2007 (gmt 0)

I would also made sure $_GET["src"] does not have constructions like ../../file.zip