[3484] Mis-detecting valid images for infected ones.

[Hannilein]

My forum installation ( running SMF 1.1.9, updated from 1.1.8 ) seems to refuse JPG images (avatars) which contain the text 'script' (for example in 'Description') or the text '<%'.
Obviously some graphic applications store such kind of text in JPG images, which SMF then refuses. I dont know the exact origin, I got the regarding image file from an user.

This is reproducable with an image which contains these text. If the concerning parts of the file are renamed ('Description' -> 'Descroption'), SMF allows the image. Also if loaded and saved the refused image with another program (MS Paint), the regarding text is removed from the image file and SMF allows to save this image.

I guess this behaviour is intended as feature and is located in file "Profile.php" at line 1191 (near the comment "Now try to find an infection."), which was not there in the previous version.

Regards,
Dirk

[Hannilein]

Here are two versions of the concerning avatar image:

<- refused by SMF
<- accepted by SMF

Regards

[Kermit]

I've tried to upload the refused one as an avatar and i didn't get any warning messages

[Hannilein]

Right, no warnings, its a real error message:

Ein Fehler ist aufgetreten!
Fehler beim Speichern der Datei, bitte nochmal versuchen.

With english language setting:

An Error Has Occurred!
Your attachment couldn't be saved. This might happen because it took too long to upload or the file is bigger than the server will allow.
Please consult your server administrator for more information.

Reproducable with 3 different forums running with SMF 1.1.9 , also confirmed here.

Regards,
Dirk

[Aleksi "Lex" Kilpinen]

Tested, confirmed on my part.

1.1.9 that normally handles avatars well, gave this in a split-second when trying

An Error Has Occurred!
Your attachment couldn't be saved. This might happen because it took too long to upload or the file is bigger than the server will allow.

Please consult your server administrator for more information.

[karlbenson]

This is caused by the regex we're using in 1.1.9 and 2.0 rc1-1 to detect possible infected/bad avatars/images being uploaded.

'~(iframe|\\<\\?php|\\<\\?[\s=]|\\<%[\s=]|html|eval|body|script\W)~'

\W should prevent it misdetection for description.  I@m not sure why it isn't working.

http://dev.simplemachines.org/mantis/view.php?id=3484

P.S I also renamed the title of this topic for future reference.

[Hannilein]

Not to forget: it is not only the 'script', it's also the '<%' because of the image is refused.

Regards,
Dirk

[stefann]

After a bit of debugging with a little modification:

Code Select Expand

                        if (preg_match('~(iframe|\\<\\?php|\\<\\?[\s=]|\\<%[\s=]|html|eval|body|script\W)~', $prev_chunk . $cur_chunk, $rmatch) === 1)
                        {
                                log_error('Found infection in uploaded file matching: '.implode(array_slice($rmatch, 1)));


I discovered the issue with the file I was given is actually due to a "<? " which happened to appear randomly in the JPEG data as follows

Code Select Expand

2ÀäúVŠe<? 9o^Ni›g,ч

The plain <? string occurs twice in xpacket xml, and then 15 times with random characters following it including the whitespace above. I guess with people uploading 2mb JPEGs it's going to happen eventually!

There are about a dozen further files people are sending me that failed and I'll be interested to see exactly what the cause is with these as well, but with the size of the files people are now uploading I suspect random occurances like these are going to need to be considered quite seriously

[karlbenson]

Indeed we tried not to cause false detections.

I'm not sure what the way forward is.  php short tags ( <? ) and asp short tags ( <% ) have been used in bad files and so we need to detect them.