阻止人们上传GIF的方法是什么? [英] Ways to stop people from uploading GIFs with injections in them?
问题描述
我有一个PHP网站,人们可以在这里填写帮助票。它允许他们上传票证的屏幕截图。我允许上传gif,psd,bmp,jpg,png,tif。收到上载后,PHP脚本将忽略文件扩展名。它仅使用MIME信息标识文件类型,对于这些文件类型,它始终存储在文件的前12个字节中。
I have a PHP website where people can fill out help-tickets. It allows them to upload screenshots for their ticket. I allow gif, psd, bmp, jpg, png, tif to be uploaded. Upon receiving the upload, the PHP script ignores the file extension. It identifies the filetype using only the MIME information, which for these filetypes is always stored within the first 12 bytes of the file.
有人上传了几个GIF,当查看时一个浏览器,浏览器说它无效,我的病毒扫描程序提醒我这是注射(或类似的东西)。请参阅下面的包含这些GIF的zip文件。
Someone uploaded several GIFs, which when viewed with a browser, the browser said it was invalid, and my virus scanner alerted me that it was a injection (or something like that). See below for a zip file containing these GIFs.
我认为只检查标题信息是否足够。我听说图像可以完全有效,但也包含漏洞利用代码。
I don't think only checking header info is adequate. I have heard that an image can be completely valid, but also contain exploit code.
所以我有两个基本问题:
So I have two basic questions:
- 有谁知道他们是如何将坏东西注入GIF(,同时仍保留有效的GIF MIME类型)?如果我知道这一点,也许我可以在上传时检查它。
- 如何防止有人上传这样的文件?
- 我在共享主机上,因此我无法安装服务器端病毒
扫描仪。 - 将信息提交到在线病毒扫描网站
可能太慢。 - 有没有办法检查自己使用检查这些东西的PHP类?
- 如果图像无效,会使用GD调整图像大小吗?或者漏洞利用程序是否仍会漏掉并处于调整大小的图像中?如果它失败了,那将是理想的,因为那时我可以使用调整大小作为一种技术来查看它们是否有效。
- 我在共享主机上,因此我无法安装服务器端病毒
- Does anyone know how they did injected bad stuff into a GIF (while still keeping a valid GIF MIME type)? If I know this, maybe I can check for it at upload time.
- How can I prevent someone from uploading files like this?
- I am on shared hosting so I can't install a server-side virus scanner.
- Submitting the info to a online virus scanning website might be too slow.
- Is there any way to check myself using a PHP class that checks for these things?
- Will resize the image using GD fail if it's not valid? Or would the exploit still slip through and be in the resized image? If it fails, that would be ideal because then I could use resizing as a technique to see if they are valid.
更新:所有人,感谢您的回复。我试图在服务器上查找上传的GIF。如果我找到它们,我会更新这篇文章。
Update: Everyone, thanks for replying so far. I am attempting to look on the server for the GIFs that were uploaded. I will update this post if I find them.
更新2:我为任何感兴趣的人找到了GIF。我把它们放在一个用密码123加密的zip文件中。它位于此处(请注意,此主机网站上有多个下载按钮 - 其中一些用于广告) http://www.filedropper.com/badgifs 。名为5060.gif的那个被我的防病毒软件标记为特洛伊木马(TR / Graftor.Q.2)。我应该注意这些文件是在我实现前12个字节的MIME检查之前上传的。所以现在,我对这些特殊的安全。但我仍然想知道如何检测隐藏在正确MIME类型后面的漏洞。
Update 2: I located the GIFs for anyone interested. I put them in a zip file encrypted with password "123". It is located here (be careful there are multiple "Download" buttons on this hosting site -- some of them are for ads) http://www.filedropper.com/badgifs. The one called 5060.gif is flagged by my antivirus as a trojan (TR/Graftor.Q.2). I should note that these files were upload prior to me implementing the MIME check of the first 12 bytes. So now, I am safe for these particular ones. But I'd still like to know how to detect an exploit hiding behind a correct MIME type.
重要澄清: 我只关心下载这些文件以查看它们的PC的风险。这些文件对我的服务器没有风险。他们不会被执行。它们使用扩展名为.enc的干净名称(十六进制散列输出)存储,然后使用fwrite过滤器将它们保存到加密状态的磁盘:
Important clarification: I'm only concerned about the risk to the PC who downloads these files to look at them. The files are not a risk to my server. They won't be executed. They are stored using a clean name (a hex hash output) with extension of ".enc" and I save them to disk in an encrypted state using an fwrite filter:
// Generate random key to encrypt this file.
$AsciiKey = '';
for($i = 0; $i < 20; $i++)
$AsciiKey .= chr(mt_rand(1, 255));
// The proper key size for the encryption mode we're using is 256-bits (32-bytes).
// That's what "mcrypt_get_key_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC)" says.
// So we'll hash our key using SHA-256 and pass TRUE to the 2nd parameter, so we
// get raw binary output. That will be the perfect length for the key.
$BinKey = hash('SHA256', '~~'.TIME_NOW.'~~'.$AsciiKey.'~~', true);
// Create Initialization Vector with block size of 128 bits (AES compliant) and CBC mode
$InitVec = mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC), MCRYPT_RAND);
$Args = array('iv' => $InitVec, 'key' => $BinKey, 'mode' => 'cbc');
// Save encoded file in uploads_tmp directory.
$hDest = fopen(UPLOADS_DIR_TMP.'/'.$Hash.'.enc', 'w');
stream_filter_append($hDest, 'mcrypt.rijndael-128', STREAM_FILTER_WRITE, $Args);
fwrite($hDest, $Data);
fclose($hDest);
推荐答案
至于第一个问题,你永远不会真正知道你是否无法检索任何日志或有问题的图像,因为这些漏洞利用可能有许多目标,并且取决于目标是什么,漏洞被放入文件的方式可以完全不同。
As for the first question, you'll never really know if you're not able to retrieve any logs or the images in question, because there are many things these exploit may have targeted and depending on what's the target the way the exploit was put into the file can be completely different.
编辑: W32 / Graftor 是通用名称,用于似乎具有木马特征的程序。
W32/Graftor is a generic name for programs that appear to have trojan-like characteristics.
在十六进制编辑器中打开文件 5060.gif 后,我注意到程序实际上是重命名为windows程序。虽然它不是浏览器漏洞,因此除非实际打开和执行,否则它是无害的,你必须确保它没有上传者定义的MIME类型,因为用户可能仍然被欺骗打开程序;看到第二个问题的答案。
After opening the file 5060.gif in a hex editor, I noticed the program is actually a renamed windows program. Although it's not a browser exploit and thus harmless unless it's actually opened and executed, you'll have to make sure it isn't served with the MIME type defined by the uploader because a user may still be tricked into opening the program; see the answer to the second question.
至于第二个问题:为防止任何漏洞利用代码被运行或用户,你'我必须确保所有文件都以文件名中的安全扩展名存储,以便它们以正确的MIME类型提供。例如,您可以使用此正则表达式来检查文件名:
As for the second question: to prevent any exploit code from being run or a user, you'll have to make sure all files are stored with a safe extension in the filename so they are served with the correct MIME type. For example, you can use this regular expression to check the file name:
if(!preg_match ( '/\\.(gif|p(sd|ng)|tiff?|jpg)$/' , $fileName)){
header("415 Unsupported Media Type");
die("File type not allowed.");
}
还要确保您使用正确的内容类型提供文件;确保在向用户提供文件时不使用为上载文件指定的内容类型。如果您依赖上传者指定的Content-Type,则该文件可以作为 text / html 或类似的任何内容提供,并且将由用户的浏览器进行解析。
Also make sure you're serving the files with the correct Content Type; make sure you don't use the content type specified with the uploaded file when serving the file to the user. If you rely on the Content-Type specified by the uploader, the file may be served as text/html or anything similar and will be parsed by the users' browser as such.
请注意,这只能防止恶意文件利用用户浏览器中的漏洞,图像解析器被排除在外。
Please note that this only protects against malicious files exploiting vulnerabilities in the users' browser, the image parser excluded.
如果你试图阻止对服务器的攻击,你必须确保你不会让PHP解析器执行图像的内容,并且你用来处理图像的图像库没有任何已知的漏洞。
If you're trying to prevent exploits against the server you'll have to make sure that you won't let the PHP parser execute the contents of the image and that the image library you are using to process the image does not have any known vulnerabilities.
另请注意,此代码不会保护您免受包含用户浏览器使用的图像解析器漏洞的图像的攻击;为了防止这种情况,您可以检查 getimagesize()是否按照Jeroen的建议评估为真。
Also note that this code does not defend you against images that contain an exploit for the image parser used by the users browser; to defend against this, you can check if getimagesize() evaluates to true as suggested by Jeroen.
注意单独使用 getimagesize()是不够的,如果你不检查文件名并确保文件使用正确的 Content-Type 标题,因为完全有效的图像可以在注释中嵌入HTML / PHP代码。
Note that using getimagesize() alone isn't sufficient if you don't check file names and make sure files are served with the correct Content-Type header, because completely valid images can have HTML / PHP code embedded inside comments.
这篇关于阻止人们上传GIF的方法是什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
