Jump to content
xisto Community
phpfreek

Image Hosting Can Hurt You

Recommended Posts

Hello;If you are running a website that offers free image hosting, than this is for you !If the image hosting script you are using is a bit poor, hackers can use this to upload their "php shell" and be able to do modifications to your site !!!You might say this wouldn't happen to you ! ... but it happened with me ...My website is mostly a familly web-site, so all my familly checks it, and when the hackers acted ... i got humiliated :blink: ... they put "inapropriate pages" on my site ...I had to delete everything they put, and disable the image hosting service, but all this after i got humiliated ... so watch out guys !!

Share this post


Link to post
Share on other sites

that could happen but if youre upload script only allows pictures... its a slighter less chance to have that.

less likely yes, but not impossible. There is a way to get php to execute within an image as some signatures you see do, the ones which display your IP, OS etc... the only way i know of doing this is to write the php code yourself and specify an image document type but im sure there is an exploit somewhere which will allow such images to be uploaded.

 

As a rule i wouldnt normally allow people to upload their own images just because its risky in what they might upload, including illegal images and codes etc... It might be an idea to try to add a feature to let people specify a URL to an image already hosted and to have them uplaod these images on some other professional image host. Might defeat the point tho!

Share this post


Link to post
Share on other sites

If I recall correctly, Image Shack used to have a vulnerability to something like this and some forms of spyware were actually trying to slip their way in, along with the image upload. Eventually, they had something scripted in that blocks anybody who has cool web search and the like from uploading anything.

Share this post


Link to post
Share on other sites

I wrote a upload script in PHP a few years ago that allowed users to upload jpg/gif images. The 3 important things that must be in an upload script are: 1. Check the file's name (in my case ensure it's a .jpg or .gif and not a anything else) 2. Check the file's CONTENT-TYPE 3. Set the permissions of the file so that it isn't allowed to be "executed" (read/write only)Also, I dynamically renamed the files so that: 1. Overwriting existing files of the same name wouldn't be a problem 2. More secure: if the above methods failed, at least the file would have an arbitrary name of randomname.jpg instead of something like index.gif.php Finally, be careful about allowing users to upload files into a directory visible from the web.

Share this post


Link to post
Share on other sites

He didnt use a website, he used a script for his own image uploading website. There are so many image hosting websites out there, that I wouldnt really bother into makin my own though. It would be good for practice, but unless you have bandwidth and your own server it could be fun.

Share this post


Link to post
Share on other sites

less likely yes, but not impossible. There is a way to get php to execute within an image as some signatures you see do, the ones which display your IP, OS etc... the only way i know of doing this is to write the php code yourself and specify an image document type but im sure there is an exploit somewhere which will allow such images to be uploaded.

how could you embed php script in image document type? :)

 

Anyway, There is no problem by using image hosting service like image shack.

The problems come only when you make a web site which allow the visitors to upload their data to the server.

 

So this means you need to be careful when you make a image hosting service like image shack, but you don't need to worry when you use it. There is no security problem there.

Share this post


Link to post
Share on other sites

Well, I have created a certain signature, that I use in forums that allow members to have hosted images in their signatures via IMG tag, and don't check for extensions... Xisto doesn't allow it, so I'm not using it here, but I certainly can see how one could easily make a malicios PHP script, and take over some site, or crash it...

If you want to see my signature, go see http://forums.xisto.com/no_longer_exists/ ... It is a pure JPEG picture, no malicious code... If it's not allowed to have links here, mods, please remove this section, it's not my intent to promote my site, just to show how ot would work :P

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...

Important Information

Terms of Use | Privacy Policy | Guidelines | We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.