File upload and md5

Hi guys,

Just a quickie(hopefully)…

I’m putting together an application that will require users to upload images to the database. I’ve currently got it set up so that the image is stored into a folder with the name md5 encrypted and the link in the db encrypted the same. It seems to work fine… except, i have a thumbnail preview of the image on successful upload. If you right click the image and save it, it saves it by default with the md5 encrypted file name.

The whole point of this exercise was so that no one would know the filenames… How can i get it to save as… with a different name?

Thanks in advance.

I’m entirely sure what you’re doing. Are the files stored in the web root and served by the web server, or are they stored somewhere else and served through php?
And what’s the point of using md5, why would it be bad if people know the filename?

The files are stored in the web root and served by the web server, the reason for the md5 is purely for name randomness. But if you right click an image and save it the browser uses the actual file name, I want that masked if possible. As for knowing the filename I’ve just finished reading an article about image header attacks and it made me a bit paranoid that’s all.

You can’t force the “Save as …” to use a different name than the actual filename when serving the files through the web server. You could do it if you serve all the files through PHP, but this is overkill for most cases.

What image header attack are you talking about btw, could you post a link?

Effectively all you are doing by using MD5 on the original filenames is to replace those original filenames with new filenames. Once you have renamed them then the files have their new filenames and will be just as accessible with those names as they would have been before you used md5. The only change you will have made is to rename the files.

i appreciate the replies guys, and realise i may have been looking at the situation all wrong.

ScallioXTX - the article in question is located here… http://www.acunetix.com/websitesecurity/upload-forms-threat.htm Case 6.

Ive no idea how old/new the article is however, when i read how simple the theory was i immediately thought of protecting against it. Im sure there are better methods though…

Thanks again.

There are a number of interesting points in this article.

  1. The double extension trick looks nefarious.

  2. It would be great if there was a way to remove all non image related data in an image. This would also decrease file sizes.
    Anyone heard of a way of doing this?

E

Heres what I would do.

  1. Once the file is uploaded, I would save the md5 to the database with an auto increment id field.

My database would probably look like this.

ID MD5
0 13218749142414102393
1 13218749142321320239
2 13218749142414102634
3 13218756767456646465

  1. You can now serve the file through php which would query the database for the filename

For example your url would look like this: http://mydomain.com/file.php?id=2

The contents of your php file would be like this (This code is not complete it just shows you the important parts)


<?php

//Run a query like "SELECT md5 FROM tblfiles WHERE id = " .  mysql_real_escape_string( $_GET['id'] )
//Save the md5 value in a variable $md5

echo file_get_contents($md5);

?>

You can also make your download link more beautiful by using url rewrites. If you are serving large files you can use X-Accel-Redirect (Nginx) / X-Sendfile (Apache)

There have been suggested several points but why you are after that renaming only?

  • Define a .htaccess file that will only allow access to files with allowed extensions.
  • Do not place the .htaccess file in the same directory where the uploaded files will be stored. It should be placed in the parent directory.
  • A typical .htaccess which allows only gif, jpg, jpeg and png files should include the following (adapt it for your own need). This will also prevent double extension attacks.

deny from all
<Files ~ “^\w+\.(gif|jpe?g|png)$”>
order deny,allow
allow from all
</Files>

  • If possible, upload the files in a directory outside the server root.
  • Prevent overwriting of existing files (to prevent the .htaccess overwrite attack).
  • Create a list of accepted mime-types (map extensions from these mime types).
  • Generate a random file name and add the previously generated extension.
  • Don’t rely on client-side validation only, since it is not enough. Ideally one should have both server-side and client-side validation implemented.

Like you can use some prevention using .htaccess as well. Also check mime type of uploaded file to check if it is really acceptable or not.

Sure, for PNGs, can use one of the many optimizers, for GIFs…convert to PNGs.
For JPEGs can use jpegtran. http://sylvana.net/jpegcrop/jpegtran/