FileUpload security risk

UI Components for JSF
Post Reply
f1l0
Posts: 18
Joined: 14 Feb 2013, 09:50
Location: Austrria

20 Dec 2014, 22:57

Hi all,

Im recently working in a PF application with the use of the fileupload component to upload some pictures and then show them on a page.

The security team show me a big security problem. In fact they are able to upload a JSP file and then access it to run any system command on the file system!

In the fileupload the attribute allowtypes is like this: allowTypes="/(\.|\/)(jpe?g|png)$/".

They told me that is very simple to avoid the client side check changing the file name during the trasmission of the data in the post (I dont which tool they used to do it) from jpeg to jsp. Once the JSP file is on the server they can access it and the scriplet is executed!

What im going to do is to change the file upload handle method so that ONLY real pictures are really saved.

Im thinking to first check the file exstention (if this can be really helpfull) then check the "magic number" in the uploaded file (i will give a try to this library: http://256.com/sources/simplemagic/). It is enought to the check the magic number to avoid JSP files?

Then try to manipulate the image with another library (example: cut away 1 pixel on one side OR do a minimum change to the color) so that the result should be a valid picture (without any other dangerous content). In this way a jsp file will generate an exception...

Do you have any kind of suggestion for this task?

How to prevent the execution of a JSP in a JSF application ? (faces servlet mapping can resolve this?? /faces/* to /faces/*.xhtml)

Should the file upload component do a check (server side too) to increase automatically the security (maybe according to the allow types) ?

Thank you,

Roberto
PrimeFaces 8 | PrimeVue 1.3.2 | Weblogic Server | NetBeans 8.1 | Mageia 7

kukeltje
Expert Member
Posts: 9605
Joined: 17 Jun 2010, 13:34
Location: Netherlands

21 Dec 2014, 00:20

All these issues are imo not PF upload related, but something the developer should take care of.
- JSP's can only be 'executed' when uploaded to the webapp folder: bad choice
- executing system calls for any class can/should be prevented by java.policy files
- checking if sokething is a valid image can be done with lots of libraries, or even just recent jdk's, not need to actually manipulate them

f1l0
Posts: 18
Joined: 14 Feb 2013, 09:50
Location: Austrria

21 Dec 2014, 10:40

Hi kukeltje,

thank you for your response.

Yes, sure I have to improve the handle fileupload method.

What I was thinking is that the allowtypes was also a server side check...

Thank you,

Roberto
PrimeFaces 8 | PrimeVue 1.3.2 | Weblogic Server | NetBeans 8.1 | Mageia 7

kukeltje
Expert Member
Posts: 9605
Joined: 17 Jun 2010, 13:34
Location: Netherlands

22 Dec 2014, 11:08

Yes, serverside filetype checking could be added... Please file an issue

f1l0
Posts: 18
Joined: 14 Feb 2013, 09:50
Location: Austrria

22 Dec 2014, 20:42

ok, i will do it.

If this can help somebody else I just used the apache tika library to detect the content type (magic number) and then a check with the ImegeIO.read() (that return null in case of text file).

Thank you
PrimeFaces 8 | PrimeVue 1.3.2 | Weblogic Server | NetBeans 8.1 | Mageia 7

Post Reply

Return to “PrimeFaces”

  • Information
  • Who is online

    Users browsing this forum: No registered users and 25 guests