Welcome Guest! You need to login or register to make posts.



Go to last post Go to first unread
Mona Troy  
#1 Posted : Thursday, March 8, 2007 12:36:19 AM(UTC)
Mona Troy

Rank: Member

Groups: Member
Joined: 1/17/2007(UTC)
Posts: 14

Dear Aurigma;

We are registered users of Aurigma Image Uploader 4.1.

The Image Uploader seems to be working fine on our site for the most part. However, something happened recently, that has left us feeling puzzled.

1. We have set a file-size limit of 200-KB per image, and the Image Uploader successfully filters/blocks files that are too big, and does not normally allow the user to upload files larger than 200-KB in size.

2. However, we found out recently that a user uploaded files that are about five times the size (up to 910-KB each). We are puzzled as to how that might have happened, and why/how the Image Uploader allowed them to bypass/exceed the per-image file-size limits. When we try to replicate the problem at our end using the same 910-KB file(s) that the user uploaded, the Image Uploader seems to successfully block them, and does not even allow us to select them for "Send/Upload".

My questions now are:

a. Are there any web-browsers out there (or any other known issues/methods/hacks) that will allow a user to circumvent/bypass Image Uploader's file-size filtering mechanism?

b. What technique could the user have used to upload the large files, and how can we prevent this from happening again? In looking at the uploaded files we are reasonably sure that the actual code on the page where Image Uploader is embedded was used (and not direct FTP for uploading the files) because the file renaming scheme is the same that a properly uploaded file would be expected to have.

Any advice/help would be greatly appreciated. We use Windows XP Pro, and IE 7.0 (the code is in ASP .Net). However, the user seems to have been at a University/Educational Institution, and there is no telling what operating system or browser they might have used.

Thank you.



#2 Posted : Thursday, March 8, 2007 2:56:35 AM(UTC)

Rank: Member

Groups: Member
Joined: 10/29/2006(UTC)
Posts: 21

Because the Image Uploader posts the files to a location that is easily determined by looking at the source of the page, it would be possible (in fact, very easy) for someone to simply post files directly to that page and bypass the imageupload entirely.

You can't rely on anything client-side like the image uploader to restrict what can be sent to the server, in the same way that setting a max file size in an HTML form should be considered a gentle reminder, rather than a real restriction.

If you are using something like PHP on the server side, you should be able to restrict the maximum post size that you will receive. You can also perhaps checking for things like the User Agent string to see if it is the Image Uploader that is sending the files - although that is probably pointless as it's just as easy to fake.

Even if you don't restrict the max post size to your script, you can read the images coming in and if they exceed the file size you set as the maximum, then you can abort the whole process.

Mona Troy  
#3 Posted : Friday, March 9, 2007 8:16:11 AM(UTC)
Mona Troy

Rank: Member

Groups: Member
Joined: 1/17/2007(UTC)
Posts: 14

Thank you so much, for your reply! I have not heard back from the Aurigma folks yet. Let us see what they have to say about this. Appreciated your posting! Cheers, Mona.

George Ulyanov  
#4 Posted : Friday, March 9, 2007 6:06:10 PM(UTC)
George Ulyanov

Rank: Advanced Member

Groups: Administration
Joined: 7/26/2006(UTC)
Posts: 203

Hello everybody,

Mona, Stark77 is right, you should check in any case all restrictions on server side too.

Edited by user Thursday, February 21, 2008 7:21:35 PM(UTC)  | Reason: Not specified

Best regards,

George Ulyanov

Users browsing this topic
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.