Need to check pdf for xss
in [General]
|
From: Sebastian Ewert on 14 Aug 2010 16:36 Hi, before I allow to upload images I read them and check for several html tags. If they exist I don't allow the upload. Is their any need to check pdf files, too? At the time I'm doing this, but the result is that many files are denied because of unallowed html tags.
From: Peter Lind on 14 Aug 2010 16:41 On 14 August 2010 22:36, Sebastian Ewert <seb2015(a)yahoo.de> wrote: > Hi, > > before I allow to upload images I read them and check for several html > tags. If they exist I don't allow the upload. Is their any need to check > pdf files, too? At the time I'm doing this, but the result is that many > files are denied because of unallowed html tags. > Reading and checking for html tags seems rather excessive - I would rather use image extensions/pdf extensions and tools to verify that the uploaded data was in fact one or the other. If someone uploads an image and you cannot get the image dimensions from the file, for instance, then it's likely not an image. Regards Peter -- <hype> WWW: http://plphp.dk / http://plind.dk LinkedIn: http://www.linkedin.com/in/plind BeWelcome/Couchsurfing: Fake51 Twitter: http://twitter.com/kafe15 </hype>
From: Sebastian on 14 Aug 2010 17:51 Peter Lind wrote: > On 14 August 2010 22:36, Sebastian Ewert <seb2015(a)yahoo.de> wrote: >> Hi, >> >> before I allow to upload images I read them and check for several html >> tags. If they exist I don't allow the upload. Is their any need to check >> pdf files, too? At the time I'm doing this, but the result is that many >> files are denied because of unallowed html tags. >> > > Reading and checking for html tags seems rather excessive - I would > rather use image extensions/pdf extensions and tools to verify that > the uploaded data was in fact one or the other. If someone uploads an > image and you cannot get the image dimensions from the file, for > instance, then it's likely not an image. > > Regards > Peter > So if imagick sais its an image/pdf there is no need to check for html tags? My upload class first checks the mime type with imagick. Do you know other tools? I think I can remember of a xss tutorial where the js code was included to an image. But I haven't tried it so I couldn't test the result. He used a programm to combine images with text. Perhaps I have undestood something wrong.
From: Peter Lind on 14 Aug 2010 18:09 I'm guessing you may have been referring to something like: http://kestas.kuliukas.com/JavaScriptImage/ - this actually does seem to be a valid threat to IE6 and would go undetected by the measures proposed. Checking an image for <script> tags seems to the only way to check if IE6 will render it as html and whether or not it will cause problems. I don't know if the same vulnerability exists for pdfs - you'd have to check security sources for it. Regards Peter -- <hype> WWW: http://plphp.dk / http://plind.dk LinkedIn: http://www.linkedin.com/in/plind BeWelcome/Couchsurfing: Fake51 Twitter: http://twitter.com/kafe15 </hype>
From: Sebastian on 14 Aug 2010 18:56
Peter Lind wrote: > I'm guessing you may have been referring to something like: > http://kestas.kuliukas.com/JavaScriptImage/ - this actually does seem > to be a valid threat to IE6 and would go undetected by the measures > proposed. Checking an image for <script> tags seems to the only way to > check if IE6 will render it as html and whether or not it will cause > problems. > > I don't know if the same vulnerability exists for pdfs - you'd have to > check security sources for it. > > Regards > Peter > THX now I understand why only the first Bytes are checked for tags. I'm not planing to support IE6. A message with an update link is displayed if IE6 enters the site. For other Browser the mime type check with imagick is enough security or are there better ways? |