Click here to Skip to main content
15,850,103 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
Mandiant was able to upload a document with filetype that is not allowed, bypassing current filters.
The file upload pages only checked the file extension to permit or deny the upload. This method ignores the actual content of the file and the potential danger posed to employees responsible for interacting with the content.

How to implement file header inspection to verify the content in the upload will be interpreted as an image regardless of the application used.

What I have tried:

Checked MIMETYPE and headers in javascript
Posted
Updated 18-Jan-17 4:37am
Comments
Richard MacCutchan 18-Jan-17 8:47am    
You can never guarantee that a file is the correct type, even after inspecting its contents. Some files contain specific header identifiers that you can look for, but any other file may contain the same sequence. Accept that the user (mostly) knows what they are doing, and leave it at that.
F-ES Sitecore 18-Jan-17 9:47am    
You've just learned why javascript validation is a nice-to-have but server validation is mandatory.
Member-515487 19-Jan-17 1:25am    
How can closed this security defect
i am checking on client side extension also server side
is there any other way to get it done

user uploading file after changing extension

1 solution

If only a few file types like images should be supported you can write a function checking for "magic bytes".

Such a function will usually read a fixed number of bytes from the beginning of the file and search for the magic bytes at file type specific positions.

The Linux file command provides such checks using a file named magic that defines the search patterns. This file can be used as starting point for your checks.

Some image file definitions:
0       string          \x89PNG\x0d\x0a\x1a\x0a         PNG image data
0       string          GIF8            GIF image data
0       beshort         0xffd8          JPEG image data
0       string          MM\x00\x2a      TIFF image data, big-endian
0       string          II\x2a\x00      TIFF image data, little-endian

The format is quite simple:
The first value is the offset, the second the data type, and the third the data (with strings using C style where \xNN indicates a hex byte and \NNN an octal byte).

Howerver, these checks might still fail.
 
Share this answer
 

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900