John Martin
Top achievements
Rank 2
Rank 2
John Martin
asked on 24 Sep 2009, 03:12 PM
Hi All,
Im using the radupload to upload images to a site which will be used as images for a website. I want to prevent against GIFAR attacks and I'm wondering what action I can take to prevent these. I am currently using the radupload to only allow uploads of png,jpg and gif images, I then simply resave the images to my chosen destination, is this enough to prevent these attacks? If not what can I do?
Thanks in advance.
Im using the radupload to upload images to a site which will be used as images for a website. I want to prevent against GIFAR attacks and I'm wondering what action I can take to prevent these. I am currently using the radupload to only allow uploads of png,jpg and gif images, I then simply resave the images to my chosen destination, is this enough to prevent these attacks? If not what can I do?
Thanks in advance.
1 Answer, 1 is accepted
0
Hello,
RadUpload doesn't process the uploaded files in any way and can't detect malicious files by itself. You'll have to inspect the files manually to decide if they're a threat. Here is the information that I've managed to find on the subject:
http://www.infosecwriters.com/text_resources/pdf/RBrandis_GIFAR.pdf
http://securethoughts.com/2009/01/easy-server-side-fix-for-the-gifar-security-issue/
Thankfully, the bug seems to be fixed as of versions JDK and JRE 6 Update 11, JDK and JRE 5.0 Update 17, and SDK and JRE 1.4.2_19. The best protection would probably be to advise your customers to upgrade to the latest version of Java.
All the best,
Tsvetomir Tsonev
the Telerik team
Instantly find answers to your questions on the new Telerik Support Portal.
Watch a video on how to optimize your support resource searches and check out more tips on the blogs.
RadUpload doesn't process the uploaded files in any way and can't detect malicious files by itself. You'll have to inspect the files manually to decide if they're a threat. Here is the information that I've managed to find on the subject:
http://www.infosecwriters.com/text_resources/pdf/RBrandis_GIFAR.pdf
http://securethoughts.com/2009/01/easy-server-side-fix-for-the-gifar-security-issue/
Thankfully, the bug seems to be fixed as of versions JDK and JRE 6 Update 11, JDK and JRE 5.0 Update 17, and SDK and JRE 1.4.2_19. The best protection would probably be to advise your customers to upgrade to the latest version of Java.
All the best,
Tsvetomir Tsonev
the Telerik team
Instantly find answers to your questions on the new Telerik Support Portal.
Watch a video on how to optimize your support resource searches and check out more tips on the blogs.