SitePoint Sponsor

User Tag List

Results 1 to 5 of 5
  1. #1
    SitePoint Wizard
    Join Date
    Mar 2008
    Location
    United Kingdom
    Posts
    1,285
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Vulnerability in Thumbnail script?

    Hi,

    I'm using the PHP Thumbnailer Class(http://www.gen-x-design.com/projects...bnailer-class/) on one of my web sites.

    However, I wonder if there is a vulnerability in the code.

    PHP Code:
    ?php
    /**
     * show_image.php
     * 
     * Example utility file for dynamically displaying images
     * 
     * @author      Ian Selby
     * @version     1.0 (php 4 version)
     */

    //reference thumbnail class
    include_once('thumbnail.inc.php');

    $thumb = new Thumbnail($_GET['filename']);
    //$thumb->resize($_GET['width'],$_GET['height']);
    $thumb->resize(150,150);
    $thumb->cropFromCenter(111);
    $thumb->show();
    $thumb->destruct();
    exit;
    ?> 
    It works like show_image.php?filename=http://www.mysite.com/bigimage.jpg

    However, is this part secure?
    PHP Code:
    $thumb = new Thumbnail($_GET['filename']); 
    If not, how would I best fix this so it only accepts files on my server?

    It doesn't seem to filter or santise my $_GET value.


    Many thanks for your thoughts.

  2. #2
    SitePoint Wizard frank1's Avatar
    Join Date
    Oct 2005
    Posts
    1,392
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    taking filename though get is always considered to be "dont do it" practice...as far as i know...
    in this script lots depends upon
    'thumbnail.inc.php'
    how it is filtering type of file it accepts

    other problem (may be you are concerned) may be bandwidth theft,if somebody spots this file then they might use it as image resize and your bandwidth will be used...or launch an attack....
    when we think in small scale,it may not sound that bad...
    but if your competitor loops 1000 images to your file then problem will start...

    one solution i can think of,
    why dont you make it to accept relative path only rather than absolute
    next solution might be to check base_url there are function in php for that....
    thought not 100% safe they can be useful...

  3. #3
    SitePoint Wizard
    Join Date
    Mar 2008
    Location
    United Kingdom
    Posts
    1,285
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I think bandwidth theft may be an issue actually. Thank you for raising this.

    why dont you make it to accept relative path only rather than absolute
    next solution might be to check base_url there are function in php for that....
    How would I best do this?
    Would I disallow 'http' or 'www' appearing in the $_GET['filename'] ?


    Many thanks for your help.

  4. #4
    Twitter: @AnthonySterling silver trophy AnthonySterling's Avatar
    Join Date
    Apr 2008
    Location
    North-East, UK.
    Posts
    6,111
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    The library checks if the file exists, however, I'd lock the search down somewhat as the library doesn't.

    Something similar to...

    PHP Code:
    if(true === file_exists(sprintf('/var/www/assets/images/%s'basename($_GET['filename'])))){
        
    #do stuff

    Either that, or extend ThumbBase and override the fileExistsAndReadable method to just look in a designated location of your choosing.
    @AnthonySterling: I'm a PHP developer, a consultant for oopnorth.com and the organiser of @phpne, a PHP User Group covering the North-East of England.

  5. #5
    SitePoint Wizard
    Join Date
    Mar 2008
    Location
    United Kingdom
    Posts
    1,285
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi Anthony,

    Brilliant! That seems perfect. Just tried it out. Loads the local image fine and doesn't load external ones.

    Thanks once more.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •