Preventing GIFAR Attracks

Thread is closed for posting
2 posts, 0 answers
  1. John Martin
    John Martin avatar
    15 posts
    Member since:
    Nov 2005

    Posted 24 Sep 2009 Link to this post

    Hi All,

    Im using the radupload to upload images to a site which will be used as images for a website. I want to prevent against GIFAR attacks and I'm wondering what action I can take to prevent these. I am currently using the radupload to only allow uploads of png,jpg and gif images, I then simply resave the images to my chosen destination, is this enough to prevent these attacks? If not what can I do?

    Thanks in advance.
  2. T. Tsonev
    Admin
    T. Tsonev avatar
    2834 posts

    Posted 25 Sep 2009 Link to this post

    Hello,

    RadUpload doesn't process the uploaded files in any way and can't detect malicious files by itself. You'll have to inspect the files manually to decide if they're a threat. Here is the information that I've managed to find on the subject:
    http://www.infosecwriters.com/text_resources/pdf/RBrandis_GIFAR.pdf
    http://securethoughts.com/2009/01/easy-server-side-fix-for-the-gifar-security-issue/

    Thankfully, the bug seems to be fixed as of versions JDK and JRE 6 Update 11, JDK and JRE 5.0 Update 17, and SDK and JRE 1.4.2_19. The best protection would probably be to advise your customers to upgrade to the latest version of Java.

    All the best,
    Tsvetomir Tsonev
    the Telerik team

    Instantly find answers to your questions on the new Telerik Support Portal.
    Watch a video on how to optimize your support resource searches and check out more tips on the blogs.
Back to Top