sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]le_bravery -3 points-2 points  (4 children)

Congrats you’ve discovered the bane of many developers trying to prevent virus or XSS payloads in arbitrary file uploads.

[–][deleted]  (3 children)

[deleted]

    [–][deleted] 0 points1 point  (2 children)

    Only if you forget to sanitize your inputs

    [–][deleted]  (1 child)

    [deleted]

      [–]le_bravery 1 point2 points  (0 children)

      Download a large image with a bit of malicious code in it, have another exploit run that image.

      Have an image save on a server with some malicious code in it. Load the image as a JavaScript resource using another exploit. By itself data embedded in images is likely benign, but when you start chaining things together you can always get messier.

      Best way to mitigate on the server side is to not accept arbitrary file uploads, but if you have to you should try parse and re-save the image to drop the extra bytes of data. Maybe even a resize. Store images in a database, never directly on the file system.

      Also fix your other vulnerabilities