Can uploading pictures of a supplier's products jeopardize the site's security?

G

Glory2020-10-23 22:59:05

Information Security

Glory, 2020-10-23 22:59:05

Each supplier of goods has the opportunity to upload their catalog of goods on our website through their account. When uploading goods, we download images from the url provided by the supplier and put them in the desired folder.

The question is - if some malicious code is flashed into the katinka, can our site suffer and how to protect ourselves from this?

Or store pictures outside of the server folders, but on a separate cloud service?

So far, two questions are of interest:

- can users who visit the site pick up malicious code by downloading pictures;
- can our site itself become infected after uploading a picture?

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

M

Mikhail Miroshnichenko, 2020-10-23
@hetmansoftware

A file of any format contains service information. Instead, it may well be a virus code. But to run it, the file must be opened by a vulnerable application (which one depends on the virus and the file format).
If you are sure that you will not open files with such applications, you can resume downloading. However, if I were you, I would play it safe. It is better to check the file with an antivirus or resave it to another format on the fly.

R

Ranwise, 2020-10-24
@Ranwise

check pictures by mime type, picture is jpg\png, not mp3 file with extension
can break hang server when resizing, if there is no check for image resolution (resolution 10,000 by 10,000 and more) zip-bomb can put a weak server

X

xmoonlight, 2020-10-24
@xmoonlight

The question is - if some malicious code is flashed into the katinka, can our site suffer and how to protect ourselves from this?

Yes. May get hurt.
You can protect yourself only by writing a filter with rules to control the "body" of the uploaded file, which will check all files immediately after they are uploaded to the "sump".