?
Solved

Secure Image Uploading, ASP.NET

Posted on 2011-02-14
5
Medium Priority
?
1,007 Views
Last Modified: 2012-05-11
What is the most secure way to upload, and store images in ASP.NET?

I'm talking about protecting against code injection attacks that can happen with PHP (see: http://ha.ckers.org/blog/20070604/passing-malicious-php-through-getimagesize/ )

Is asp.net vulnerable to this as well?
-Checking the file extension is a fail, easily worked around
-checking image header (same)
-attempting to compare the file (is.jpeg), but how easily is this bypassed?

-Is the safest way storing the image in the database as a binary?

If the upload folder is explicitly denied "Traverse/ Execute" permissions, even if they uploaded malicious code, would they not be able to run it?

Thoughts?
0
Comment
Question by:HADDADD3
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
5 Comments
 
LVL 5

Expert Comment

by:Didier Vally
ID: 34894532
The best is to use something like a telerik rad uploader component.
0
 

Author Comment

by:HADDADD3
ID: 34897189
What security does radupload provide aside from file extension checking?
0
 
LVL 2

Accepted Solution

by:
bapcai earned 2000 total points
ID: 34904581
public string IsPictureforInsertImage(string strPath, string TenFile, string phanloai)
        {
            string ketqua = "";
            int docao = 0;
            char kytu = '"';
            int tempW, tempH;
            //create a image object containing a verticel photograph
            try
            {
	// Path to file upload. File name to be convert to *.config to prevent download illegally. 
                string strPathTemp = strPath.Substring(0, strPath.ToLower().IndexOf("upload")) + "data\\thumbnail\\" + TenFile + ".config"; 

                System.Drawing.Image imgPhotoVert = System.Drawing.Image.FromFile(strPath + ".config");
                float percent = (float)35 / (float)imgPhotoVert.Width;
                docao = (int)(percent * imgPhotoVert.Height);
                
                tempW = imgPhotoVert.Width;
                tempH = imgPhotoVert.Height;

                if (tempW>600)
                {
                    tempW = 600;                    
                    //docao = (int)(percent * imgPhotoVert.Height);
                    percent = (float)600 / (float)imgPhotoVert.Width;
                    tempH = (int)(percent * imgPhotoVert.Height);
                }

	// is true image
                ketqua = "<img border='0' align='absmiddle'  src='../Utility/DownLoadImageFile.aspx?ItemID=" + TenFile + "&thumuc=" + phanloai + "&Thumbnail=1' alt='Click vào ¿nh' width='35' height='" + docao.ToString() + "' onclick='updateImageThumbnail(" + kytu + "../Utility/DownLoadImageFile.aspx?ItemID=" + TenFile + "&thumuc=" + phanloai + kytu + "," + tempW.ToString() + "," + tempH.ToString() + ");'/>";

                //../thongbao/DownLoadImageFile.aspx?ItemID="+TenFile+"&thumuc=thongbao

                //imgPhotoVert.GetThumbnailImage()
                //Image.GetThumbnailImageAbort myCallback =new Image.GetThumbnailImageAbort(ThumbnailCallback()); 
                //Bitmap myBitmap = new Bitmap("Climber.jpg");
                //Image myThumbnail = imgPhotoVert.GetThumbnailImage(35,docao, myCallback, IntPtr.Zero);
                //e.Graphics.DrawImage(myThumbnail, 150, 75);
                //imgPhotoVert.Save( +Path.GetFileName(strPath) + ".config", ImageFormat.Jpeg);

                imgPhotoVert.Dispose();
                //ketqua = true;
            }
            catch (Exception ex)
            {
	// is not true image -> add your code
            }
            return ketqua;
        }

Open in new window

0
 
LVL 2

Expert Comment

by:bapcai
ID: 34904591
Response.Clear();
                            Response.Buffer = true;

                            System.Drawing.Image imageFile = null;
                            imageFile = System.Drawing.Image.FromFile(strPath);
                            Response.ContentType = "image/jpeg";
                            imageFile.Save(Response.OutputStream, ImageFormat.Jpeg);
                            Response.Flush();

Open in new window

0
 
LVL 2

Expert Comment

by:bapcai
ID: 34904623
You can use "IsPictureforInsertImage" function to check the file is true image. You should avoid storing file in database. Saving file data to database you should check sql injection by Sql command, but it is not a good design perspective.

If the upload folder is explicitly denied "Traverse/ Execute" permissions, even if they uploaded malicious code, would they not be able to run it? No, Addition: you can change file type to *.config to prevent downloading file illegally.
0

Featured Post

Bringing Advanced Authentication to the SMB Market

WatchGuard announces the acquisition of advanced authentication provider, Datablink, with one mission – to bring secure authentication to SMB, mid-market, and distributed enterprises with a cloud-based solution, ideal for resale via their established channel & MSSP community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.
Hey fellow admins! This time, I have a little fairy tale for you. As many tales do, it starts boring and then gets pretty gory. I hope you like it. TL;DR: It is about an important security matter, you should read it if you run or administer Windows …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question