Usually I found that there are many sites do not provide GIF image upload, before the security check on the site also found some GIF pictures hidden code, unexpectedly can also be executed!
Remember I use a text editor to open the picture, at the end of the picture, found a word of PHP trojan, I would like to ask, how to solve such problems?
What are the possible security risks in the image (or file) upload?
Jinchey!
Reply content:
Usually I found that there are many sites do not provide GIF image upload, before the security check on the site also found some GIF pictures hidden code, unexpectedly can also be executed!
Remember I use a text editor to open the picture, at the end of the picture, found a word of PHP trojan, I would like to ask, how to solve such problems?
What are the possible security risks in the image (or file) upload?
Jinchey!
- Upload the time do not rely on
Content-Type
to do document type verification, you can refer to my answer here how to determine the browser upload the actual type of file?
- Upload the picture file in a place outside the Web directory, limited permissions, the picture, you can use another domain name.
- Force the server to send the correct file header to the static file to avoid the code in the picture being executed reference http://nullcandy.com/php-image-upload-security-how-not-to-do-it/
ForceType application/octet-stream
ForceType image/jpeg
ForceType image/gif
ForceType image/png