HADDADD3
asked on
Secure Image Uploading, ASP.NET
What is the most secure way to upload, and store images in ASP.NET?
I'm talking about protecting against code injection attacks that can happen with PHP (see: http://ha.ckers.org/blog/20070604/passing-malicious-php-through-getimagesize/ )
Is asp.net vulnerable to this as well?
-Checking the file extension is a fail, easily worked around
-checking image header (same)
-attempting to compare the file (is.jpeg), but how easily is this bypassed?
-Is the safest way storing the image in the database as a binary?
If the upload folder is explicitly denied "Traverse/ Execute" permissions, even if they uploaded malicious code, would they not be able to run it?
Thoughts?
I'm talking about protecting against code injection attacks that can happen with PHP (see: http://ha.ckers.org/blog/20070604/passing-malicious-php-through-getimagesize/ )
Is asp.net vulnerable to this as well?
-Checking the file extension is a fail, easily worked around
-checking image header (same)
-attempting to compare the file (is.jpeg), but how easily is this bypassed?
-Is the safest way storing the image in the database as a binary?
If the upload folder is explicitly denied "Traverse/ Execute" permissions, even if they uploaded malicious code, would they not be able to run it?
Thoughts?
Didier Vx
The best is to use something like a telerik rad uploader component.
ASKER
What security does radupload provide aside from file extension checking?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Response.Clear();
Response.Buffer = true;
System.Drawing.Image imageFile = null;
imageFile = System.Drawing.Image.FromFile(strPath);
Response.ContentType = "image/jpeg";
imageFile.Save(Response.OutputStream, ImageFormat.Jpeg);
Response.Flush();
You can use "IsPictureforInsertImage" function to check the file is true image. You should avoid storing file in database. Saving file data to database you should check sql injection by Sql command, but it is not a good design perspective.
If the upload folder is explicitly denied "Traverse/ Execute" permissions, even if they uploaded malicious code, would they not be able to run it? No, Addition: you can change file type to *.config to prevent downloading file illegally.
If the upload folder is explicitly denied "Traverse/ Execute" permissions, even if they uploaded malicious code, would they not be able to run it? No, Addition: you can change file type to *.config to prevent downloading file illegally.