• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1022
  • Last Modified:

Secure Image Uploading, ASP.NET

What is the most secure way to upload, and store images in ASP.NET?

I'm talking about protecting against code injection attacks that can happen with PHP (see: http://ha.ckers.org/blog/20070604/passing-malicious-php-through-getimagesize/ )

Is asp.net vulnerable to this as well?
-Checking the file extension is a fail, easily worked around
-checking image header (same)
-attempting to compare the file (is.jpeg), but how easily is this bypassed?

-Is the safest way storing the image in the database as a binary?

If the upload folder is explicitly denied "Traverse/ Execute" permissions, even if they uploaded malicious code, would they not be able to run it?

Thoughts?
0
HADDADD3
Asked:
HADDADD3
  • 3
1 Solution
 
Didier VallySystems Engineer and Finance AnalystCommented:
The best is to use something like a telerik rad uploader component.
0
 
HADDADD3Author Commented:
What security does radupload provide aside from file extension checking?
0
 
bapcaiCommented:
public string IsPictureforInsertImage(string strPath, string TenFile, string phanloai)
        {
            string ketqua = "";
            int docao = 0;
            char kytu = '"';
            int tempW, tempH;
            //create a image object containing a verticel photograph
            try
            {
	// Path to file upload. File name to be convert to *.config to prevent download illegally. 
                string strPathTemp = strPath.Substring(0, strPath.ToLower().IndexOf("upload")) + "data\\thumbnail\\" + TenFile + ".config"; 

                System.Drawing.Image imgPhotoVert = System.Drawing.Image.FromFile(strPath + ".config");
                float percent = (float)35 / (float)imgPhotoVert.Width;
                docao = (int)(percent * imgPhotoVert.Height);
                
                tempW = imgPhotoVert.Width;
                tempH = imgPhotoVert.Height;

                if (tempW>600)
                {
                    tempW = 600;                    
                    //docao = (int)(percent * imgPhotoVert.Height);
                    percent = (float)600 / (float)imgPhotoVert.Width;
                    tempH = (int)(percent * imgPhotoVert.Height);
                }

	// is true image
                ketqua = "<img border='0' align='absmiddle'  src='../Utility/DownLoadImageFile.aspx?ItemID=" + TenFile + "&thumuc=" + phanloai + "&Thumbnail=1' alt='Click vào ¿nh' width='35' height='" + docao.ToString() + "' onclick='updateImageThumbnail(" + kytu + "../Utility/DownLoadImageFile.aspx?ItemID=" + TenFile + "&thumuc=" + phanloai + kytu + "," + tempW.ToString() + "," + tempH.ToString() + ");'/>";

                //../thongbao/DownLoadImageFile.aspx?ItemID="+TenFile+"&thumuc=thongbao

                //imgPhotoVert.GetThumbnailImage()
                //Image.GetThumbnailImageAbort myCallback =new Image.GetThumbnailImageAbort(ThumbnailCallback()); 
                //Bitmap myBitmap = new Bitmap("Climber.jpg");
                //Image myThumbnail = imgPhotoVert.GetThumbnailImage(35,docao, myCallback, IntPtr.Zero);
                //e.Graphics.DrawImage(myThumbnail, 150, 75);
                //imgPhotoVert.Save( +Path.GetFileName(strPath) + ".config", ImageFormat.Jpeg);

                imgPhotoVert.Dispose();
                //ketqua = true;
            }
            catch (Exception ex)
            {
	// is not true image -> add your code
            }
            return ketqua;
        }

Open in new window

0
 
bapcaiCommented:
Response.Clear();
                            Response.Buffer = true;

                            System.Drawing.Image imageFile = null;
                            imageFile = System.Drawing.Image.FromFile(strPath);
                            Response.ContentType = "image/jpeg";
                            imageFile.Save(Response.OutputStream, ImageFormat.Jpeg);
                            Response.Flush();

Open in new window

0
 
bapcaiCommented:
You can use "IsPictureforInsertImage" function to check the file is true image. You should avoid storing file in database. Saving file data to database you should check sql injection by Sql command, but it is not a good design perspective.

If the upload folder is explicitly denied "Traverse/ Execute" permissions, even if they uploaded malicious code, would they not be able to run it? No, Addition: you can change file type to *.config to prevent downloading file illegally.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now