Solved

Secure Image Uploading, ASP.NET

Posted on 2011-02-14
5
998 Views
Last Modified: 2012-05-11
What is the most secure way to upload, and store images in ASP.NET?

I'm talking about protecting against code injection attacks that can happen with PHP (see: http://ha.ckers.org/blog/20070604/passing-malicious-php-through-getimagesize/ )

Is asp.net vulnerable to this as well?
-Checking the file extension is a fail, easily worked around
-checking image header (same)
-attempting to compare the file (is.jpeg), but how easily is this bypassed?

-Is the safest way storing the image in the database as a binary?

If the upload folder is explicitly denied "Traverse/ Execute" permissions, even if they uploaded malicious code, would they not be able to run it?

Thoughts?
0
Comment
Question by:HADDADD3
  • 3
5 Comments
 
LVL 5

Expert Comment

by:Didier Vally
ID: 34894532
The best is to use something like a telerik rad uploader component.
0
 

Author Comment

by:HADDADD3
ID: 34897189
What security does radupload provide aside from file extension checking?
0
 
LVL 2

Accepted Solution

by:
bapcai earned 500 total points
ID: 34904581
public string IsPictureforInsertImage(string strPath, string TenFile, string phanloai)
        {
            string ketqua = "";
            int docao = 0;
            char kytu = '"';
            int tempW, tempH;
            //create a image object containing a verticel photograph
            try
            {
	// Path to file upload. File name to be convert to *.config to prevent download illegally. 
                string strPathTemp = strPath.Substring(0, strPath.ToLower().IndexOf("upload")) + "data\\thumbnail\\" + TenFile + ".config"; 

                System.Drawing.Image imgPhotoVert = System.Drawing.Image.FromFile(strPath + ".config");
                float percent = (float)35 / (float)imgPhotoVert.Width;
                docao = (int)(percent * imgPhotoVert.Height);
                
                tempW = imgPhotoVert.Width;
                tempH = imgPhotoVert.Height;

                if (tempW>600)
                {
                    tempW = 600;                    
                    //docao = (int)(percent * imgPhotoVert.Height);
                    percent = (float)600 / (float)imgPhotoVert.Width;
                    tempH = (int)(percent * imgPhotoVert.Height);
                }

	// is true image
                ketqua = "<img border='0' align='absmiddle'  src='../Utility/DownLoadImageFile.aspx?ItemID=" + TenFile + "&thumuc=" + phanloai + "&Thumbnail=1' alt='Click vào ¿nh' width='35' height='" + docao.ToString() + "' onclick='updateImageThumbnail(" + kytu + "../Utility/DownLoadImageFile.aspx?ItemID=" + TenFile + "&thumuc=" + phanloai + kytu + "," + tempW.ToString() + "," + tempH.ToString() + ");'/>";

                //../thongbao/DownLoadImageFile.aspx?ItemID="+TenFile+"&thumuc=thongbao

                //imgPhotoVert.GetThumbnailImage()
                //Image.GetThumbnailImageAbort myCallback =new Image.GetThumbnailImageAbort(ThumbnailCallback()); 
                //Bitmap myBitmap = new Bitmap("Climber.jpg");
                //Image myThumbnail = imgPhotoVert.GetThumbnailImage(35,docao, myCallback, IntPtr.Zero);
                //e.Graphics.DrawImage(myThumbnail, 150, 75);
                //imgPhotoVert.Save( +Path.GetFileName(strPath) + ".config", ImageFormat.Jpeg);

                imgPhotoVert.Dispose();
                //ketqua = true;
            }
            catch (Exception ex)
            {
	// is not true image -> add your code
            }
            return ketqua;
        }

Open in new window

0
 
LVL 2

Expert Comment

by:bapcai
ID: 34904591
Response.Clear();
                            Response.Buffer = true;

                            System.Drawing.Image imageFile = null;
                            imageFile = System.Drawing.Image.FromFile(strPath);
                            Response.ContentType = "image/jpeg";
                            imageFile.Save(Response.OutputStream, ImageFormat.Jpeg);
                            Response.Flush();

Open in new window

0
 
LVL 2

Expert Comment

by:bapcai
ID: 34904623
You can use "IsPictureforInsertImage" function to check the file is true image. You should avoid storing file in database. Saving file data to database you should check sql injection by Sql command, but it is not a good design perspective.

If the upload folder is explicitly denied "Traverse/ Execute" permissions, even if they uploaded malicious code, would they not be able to run it? No, Addition: you can change file type to *.config to prevent downloading file illegally.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now