Ways to stop people from uploading GIFs with injections in them?

Question

I have a PHP website where people can fill out help-tickets. It allows them to upload screenshots for their ticket. I allow gif, psd, bmp, jpg, png, tif to be uploaded. Upon

Answer 1

1) You're never going to know exactly what the problem was if you deleted the .gif and your A/V didn't write a log.

Q: Is the .gif in question still on the server?

Q: Have you checked your A/V logs?

2) There are many different possible exploits, which may or may not have anything directly to do with the .gif file format. Here is one example:

• http://www.phpclasses.org/blog/post/67-PHP-security-exploit-with-GIF-images.html

3) To mitigate the risk in this example, you should:

a) Only upload files (any files) to a secure directory on the server

b) Only serve files with specific suffixes (.gif, .png, etc)

c) Be extremely paranoid about anything that's uploaded to your site (especially if you then allow other people to download it from your site!)