XSS attack via unchecked image uploads

By Adrian Smith17 Aug 2010300 words2 mins to read

If you allow users of your website to upload data (e.g. images), and you display this data to other users, you need to open the file on the server to examine it and check that it really is what it should be (e.g. an image).

Most website software will need to examine the image anyway, to extract thumbnails, determine width/height, etc. In which case, this security comes for free. But I've seen software which doesn't have any such needs, and thus server-side examination is not done.

The reason is:

I was unaware of this before 1 brought this my attention, thanks! More information.

This article was written by Adrian Smith on 17 Aug 2010

Follow me: Facebook | Twitter | Email

More on: Security | Web | Software Architecture