Cakephp Image Security

Question

I have a CakePHP application that allows users to upload images. I am currently using version 2.

My concerned that hackers could embed code in the images and that code then being executed on the server.

Does anybody know if using the image validation methods used on the CakePHP documentation includes security checks for this?

Here is a link that may exaplin better what I am asking. PHP image upload security check list

Thanks in advance

Answer 1

You may want to first properly elaborate the situation you are concerned about, like, how would code embedded in an image be executed on the server? What kind of code would that be? What does the server / the application do with these images? Just moving them in the filesystem certainly won't do anything, no matter the files content.

CakePHP does not ship with any validation functionality that would check for the integrity/validity of binary image data. Possibly image related validation methods like Validation::mimeType() only do very basic file header checks via PHPs finfo_* or mime_content_type function.

Even if CakePHP would validate the image data structure, people could still embed all kinds of stuff via metadata for example, so if someone managed to include an image in the right context, possibly embedded code could be executed.

As mentioned initially, assess the threat first, then figure the proper defense mechanisms. If you need more security than CakePHPs built-in validation provides, then you'll probably have to process the image and ditch/filter metadata. However, even that may be exploited, properly crafted PNG IDAT chunks for example may even survive processes like resizing/resampling:

https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/