I have been reading about a couple of image upload exploits today: Null byte exploit and embedding php in an image.
As I see it neither exploit will have any effect until the file is loaded into the memory on say a php page or run by a hacker and one recommendation is to rename the file.
This will stop the Null byte exploit as it will then have an ordinary image file extension and should fail to do anything as the code will not be able to run if it is the incorrect file type?
I do not see this working with the php embedded image and thought resizing the image would remove the code but it does not. If I use a resize that strips everything apart from the colour profile it does work.
So my thinking is:
1/ Upload the file which will go into the temp folder and get a temporary filename - no problem here as it is not being run.
2/ Modify the image from the temp folder stripping all data except the colour profile.
3/ Save with a different name and a specific file extension.
Does this make sense? The only problem I can see is I am doing steps 2/ and 3/ using Imagemagick with exec();
Another post said to put the file out side the root - above root? But if the file is being used on a page it will run when loaded into the browser from the webpage?
I would be interested in your thoughts.
P.S. I had read a while ago that checking the first six or so characters of the file was a safe way to validate the file type but the php imbedded into a file comes after that and so it would not work.