| Posted by texens, 04-06-2010, 12:44 AM | | Hi,
I am a undergraduate student and a open source enthusiast. I have been working on a web application and I stumbled upon a problem. I haven't been able to find any good solutions to the problem yet. I've tried googling, but without successs
Here's my problem:
I'm working on a open source web application which can be downloaded by anyone and hosted on his own webserver. Let me give an example, say wordpress blogging engine. One can download wordpress sourcecode from wordpress.org and host it on his own webserver. The webserver can be IIS running on Windows or apache running on linux. Using this application, end users can upload files (images, text, doc, videos etc) to the server using a upload option on the site.
I have to check the file to make sure that it is not infected with a virus.
If it were a dedicated webserver hosted in a single place, I would have used clamAV for linux or Norton for windows. But we're talking about a web application that will be downloaded by users and hosted by them on their own servers - we do not know before hand whether it will be a linux machine or a windows machine.
The application is written in PHP. Are there any modules in PHP that I could add as a helper module in my application and use it to check uploaded files for malicious content ?
I'm a undergraduate student and have little or no exposure to web server security. I believe most of the people here are server administrators and I'd like to know how they handle security issues especially for files uploaded by users.
Looking forward to some enlightenment on this issue,
Thank you
|
| Posted by sam0, 04-06-2010, 01:42 AM | | Why do you need to check if its a virus or not? No virus scanner is 100% anyway. You could submit to jotti or virustotal however that would take quite a while.
|
| Posted by texens, 04-06-2010, 01:56 AM | | Thanks for the quick reply sam250.
Once the file have been uploaded by the enduser, the administrator can use a third party tool to process the files, for example, if its an image file, he can open the image for viewing, cropping, resizing or rotating etc. If its a document, he can open it and edit it etc. If the file contains a virus, it can jeopardize the server's security.
Hence, we want to make sure that the file does not contain any virus/malware etc.
I understand that virus scanning won't be 100% secure, but it would make sense to check the file to avoid at least the known and detectable virus definitions.
|
| Posted by sam0, 04-06-2010, 02:02 AM | | Well you wouldn't be able to 'process' executables? So as long as you're not executing the file you should be fine.
If you still want to do it the only way I know of would be like I said, submitting to jotti or virustotal, which are online virus scanner services which are made up of lots of different virus scanners, however there is usually quite a long queue and I'm not sure if jotti or virustotal would be happy accepting automated submissions.
|
| Posted by texens, 04-06-2010, 02:25 AM | | I'm a novice in the field of web security, and hence don't have any experience in security. So, just like an ideal student, I googled and discovered that even image files can be infected with viruses. And opening an image file could trigger the virus (I hope this sounds right).
I've been thinking of using something on these lines:
In case of linux I can use clamAV, and in case of windows systems, I can prompt the admin to set the path to his proprietary Antivirus's executable in the application's config file during installation. When a user uploads a file, a trigger will call the AntiVirus with the file's path. The antivirus will test it for any malacious content and pipe the output. If AV returns a positive for virus, delete the file and report the incident to the admin. But, this is still a stub and will need a lot of research into the available AVs to see how to trigger them.
Using a web based antivirus engine like virustotal would be my last resort because of various reasons such as network load, time delay etc.
I'm wondering how server administrators in the *real* world handle this problem. This indeed looks like a genuine issue and I'm guessing there must be some standard solution/practice to this issue.
|
| Posted by sam0, 04-06-2010, 02:52 AM | | There aren't image 'viruses' there were image 'exploits', exploiting the way particular software handles the image. You can't account for all the possible holes in the users browser. I don't know of any popular web applications that scan images.
You could get the admin to input the path to their anti virus but starting the virus scan would require use of the exec() functions which are a security risk in themselves. And also it would be unlikely that the script would be able to be used on shared hosting.
Last edited by sam0; 04-06-2010 at 02:55 AM.
|
| Posted by prashant1979, 04-06-2010, 03:57 AM | | I had faced this issue on a customer's server once. The gif images in the customer's websites were infected. Though the gif images are binary files, when I opened a few of them in a notepad, I could see a iframe injection amongst the binary content. Till date I have not been able to figure out what could have caused the iframe injection in the images.
|
| Posted by sam0, 04-06-2010, 04:05 AM | | It was probably a malicious script that injected all html files with iframes and incorrectly also injected the gifs.
|
| Posted by texens, 04-06-2010, 04:12 AM | | Image file was just an example, and by mentioning it I wanted to hint at the fact that even non-executables such as images, power point, PHP and HTML files etc can also be infected with viruses.
I can selectively refuse to upload executables and zip archives to reduce the virus threat. But, it won't be good enough.
I'm not sure, but I'm guessing that almost all shared hosting have dedicated anti-virus on board the system to check for virus etc. Hence, in such cases we can simply do away with the scanning. We can set a flag for virus check in the config file during installation.
|
| Posted by sam0, 04-06-2010, 04:20 AM | | Alot of hosts just scan email, not all the files on their system in real time.
I still don't quite see what your web app is going to do, allow any file to be uploaded by anyone then be edited/redistributed by anyone?
|
| Posted by klikli, 04-06-2010, 12:19 PM | | for gifs try to use GD to resize
|
|
 Add to Favourites
 Print this Article
|
