?
Solved

Secure Image Uploading, ASP.NET

Posted on 2011-02-14
5
Medium Priority
?
1,010 Views
Last Modified: 2012-05-11
What is the most secure way to upload, and store images in ASP.NET?

I'm talking about protecting against code injection attacks that can happen with PHP (see: http://ha.ckers.org/blog/20070604/passing-malicious-php-through-getimagesize/ )

Is asp.net vulnerable to this as well?
-Checking the file extension is a fail, easily worked around
-checking image header (same)
-attempting to compare the file (is.jpeg), but how easily is this bypassed?

-Is the safest way storing the image in the database as a binary?

If the upload folder is explicitly denied "Traverse/ Execute" permissions, even if they uploaded malicious code, would they not be able to run it?

Thoughts?
0
Comment
Question by:HADDADD3
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
5 Comments
 
LVL 5

Expert Comment

by:Didier Vally
ID: 34894532
The best is to use something like a telerik rad uploader component.
0
 

Author Comment

by:HADDADD3
ID: 34897189
What security does radupload provide aside from file extension checking?
0
 
LVL 2

Accepted Solution

by:
bapcai earned 2000 total points
ID: 34904581
public string IsPictureforInsertImage(string strPath, string TenFile, string phanloai)
        {
            string ketqua = "";
            int docao = 0;
            char kytu = '"';
            int tempW, tempH;
            //create a image object containing a verticel photograph
            try
            {
	// Path to file upload. File name to be convert to *.config to prevent download illegally. 
                string strPathTemp = strPath.Substring(0, strPath.ToLower().IndexOf("upload")) + "data\\thumbnail\\" + TenFile + ".config"; 

                System.Drawing.Image imgPhotoVert = System.Drawing.Image.FromFile(strPath + ".config");
                float percent = (float)35 / (float)imgPhotoVert.Width;
                docao = (int)(percent * imgPhotoVert.Height);
                
                tempW = imgPhotoVert.Width;
                tempH = imgPhotoVert.Height;

                if (tempW>600)
                {
                    tempW = 600;                    
                    //docao = (int)(percent * imgPhotoVert.Height);
                    percent = (float)600 / (float)imgPhotoVert.Width;
                    tempH = (int)(percent * imgPhotoVert.Height);
                }

	// is true image
                ketqua = "<img border='0' align='absmiddle'  src='../Utility/DownLoadImageFile.aspx?ItemID=" + TenFile + "&thumuc=" + phanloai + "&Thumbnail=1' alt='Click vào ¿nh' width='35' height='" + docao.ToString() + "' onclick='updateImageThumbnail(" + kytu + "../Utility/DownLoadImageFile.aspx?ItemID=" + TenFile + "&thumuc=" + phanloai + kytu + "," + tempW.ToString() + "," + tempH.ToString() + ");'/>";

                //../thongbao/DownLoadImageFile.aspx?ItemID="+TenFile+"&thumuc=thongbao

                //imgPhotoVert.GetThumbnailImage()
                //Image.GetThumbnailImageAbort myCallback =new Image.GetThumbnailImageAbort(ThumbnailCallback()); 
                //Bitmap myBitmap = new Bitmap("Climber.jpg");
                //Image myThumbnail = imgPhotoVert.GetThumbnailImage(35,docao, myCallback, IntPtr.Zero);
                //e.Graphics.DrawImage(myThumbnail, 150, 75);
                //imgPhotoVert.Save( +Path.GetFileName(strPath) + ".config", ImageFormat.Jpeg);

                imgPhotoVert.Dispose();
                //ketqua = true;
            }
            catch (Exception ex)
            {
	// is not true image -> add your code
            }
            return ketqua;
        }

Open in new window

0
 
LVL 2

Expert Comment

by:bapcai
ID: 34904591
Response.Clear();
                            Response.Buffer = true;

                            System.Drawing.Image imageFile = null;
                            imageFile = System.Drawing.Image.FromFile(strPath);
                            Response.ContentType = "image/jpeg";
                            imageFile.Save(Response.OutputStream, ImageFormat.Jpeg);
                            Response.Flush();

Open in new window

0
 
LVL 2

Expert Comment

by:bapcai
ID: 34904623
You can use "IsPictureforInsertImage" function to check the file is true image. You should avoid storing file in database. Saving file data to database you should check sql injection by Sql command, but it is not a good design perspective.

If the upload folder is explicitly denied "Traverse/ Execute" permissions, even if they uploaded malicious code, would they not be able to run it? No, Addition: you can change file type to *.config to prevent downloading file illegally.
0

Featured Post

Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ransomware, the malware that locks down its victim’s files until they pay up, has always been a frustrating issue to deal with. However, a recent mobile ransomware will make the issue a little more personal… by sharing the victim’s mobile browsing h…
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question