Solved

Secure Image Uploading, ASP.NET

Posted on 2011-02-14
5
1,000 Views
Last Modified: 2012-05-11
What is the most secure way to upload, and store images in ASP.NET?

I'm talking about protecting against code injection attacks that can happen with PHP (see: http://ha.ckers.org/blog/20070604/passing-malicious-php-through-getimagesize/ )

Is asp.net vulnerable to this as well?
-Checking the file extension is a fail, easily worked around
-checking image header (same)
-attempting to compare the file (is.jpeg), but how easily is this bypassed?

-Is the safest way storing the image in the database as a binary?

If the upload folder is explicitly denied "Traverse/ Execute" permissions, even if they uploaded malicious code, would they not be able to run it?

Thoughts?
0
Comment
Question by:HADDADD3
  • 3
5 Comments
 
LVL 5

Expert Comment

by:Didier Vally
ID: 34894532
The best is to use something like a telerik rad uploader component.
0
 

Author Comment

by:HADDADD3
ID: 34897189
What security does radupload provide aside from file extension checking?
0
 
LVL 2

Accepted Solution

by:
bapcai earned 500 total points
ID: 34904581
public string IsPictureforInsertImage(string strPath, string TenFile, string phanloai)
        {
            string ketqua = "";
            int docao = 0;
            char kytu = '"';
            int tempW, tempH;
            //create a image object containing a verticel photograph
            try
            {
	// Path to file upload. File name to be convert to *.config to prevent download illegally. 
                string strPathTemp = strPath.Substring(0, strPath.ToLower().IndexOf("upload")) + "data\\thumbnail\\" + TenFile + ".config"; 

                System.Drawing.Image imgPhotoVert = System.Drawing.Image.FromFile(strPath + ".config");
                float percent = (float)35 / (float)imgPhotoVert.Width;
                docao = (int)(percent * imgPhotoVert.Height);
                
                tempW = imgPhotoVert.Width;
                tempH = imgPhotoVert.Height;

                if (tempW>600)
                {
                    tempW = 600;                    
                    //docao = (int)(percent * imgPhotoVert.Height);
                    percent = (float)600 / (float)imgPhotoVert.Width;
                    tempH = (int)(percent * imgPhotoVert.Height);
                }

	// is true image
                ketqua = "<img border='0' align='absmiddle'  src='../Utility/DownLoadImageFile.aspx?ItemID=" + TenFile + "&thumuc=" + phanloai + "&Thumbnail=1' alt='Click vào ¿nh' width='35' height='" + docao.ToString() + "' onclick='updateImageThumbnail(" + kytu + "../Utility/DownLoadImageFile.aspx?ItemID=" + TenFile + "&thumuc=" + phanloai + kytu + "," + tempW.ToString() + "," + tempH.ToString() + ");'/>";

                //../thongbao/DownLoadImageFile.aspx?ItemID="+TenFile+"&thumuc=thongbao

                //imgPhotoVert.GetThumbnailImage()
                //Image.GetThumbnailImageAbort myCallback =new Image.GetThumbnailImageAbort(ThumbnailCallback()); 
                //Bitmap myBitmap = new Bitmap("Climber.jpg");
                //Image myThumbnail = imgPhotoVert.GetThumbnailImage(35,docao, myCallback, IntPtr.Zero);
                //e.Graphics.DrawImage(myThumbnail, 150, 75);
                //imgPhotoVert.Save( +Path.GetFileName(strPath) + ".config", ImageFormat.Jpeg);

                imgPhotoVert.Dispose();
                //ketqua = true;
            }
            catch (Exception ex)
            {
	// is not true image -> add your code
            }
            return ketqua;
        }

Open in new window

0
 
LVL 2

Expert Comment

by:bapcai
ID: 34904591
Response.Clear();
                            Response.Buffer = true;

                            System.Drawing.Image imageFile = null;
                            imageFile = System.Drawing.Image.FromFile(strPath);
                            Response.ContentType = "image/jpeg";
                            imageFile.Save(Response.OutputStream, ImageFormat.Jpeg);
                            Response.Flush();

Open in new window

0
 
LVL 2

Expert Comment

by:bapcai
ID: 34904623
You can use "IsPictureforInsertImage" function to check the file is true image. You should avoid storing file in database. Saving file data to database you should check sql injection by Sql command, but it is not a good design perspective.

If the upload folder is explicitly denied "Traverse/ Execute" permissions, even if they uploaded malicious code, would they not be able to run it? No, Addition: you can change file type to *.config to prevent downloading file illegally.
0

Featured Post

New My Cloud Pro Series - organize everything!

With space to keep virtually everything, the My Cloud Pro Series offers your team the network storage to edit, save and share production files from anywhere with an internet connection. Compatible with both Mac and PC, you're able to protect your content regardless of OS.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

937 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now