#saltr (irc2p) | I2P+ 2.5.0+ >> i2pplus.github.io | skank.i2p | git.skank.i2p | purokishi.i2p | vituperative.github.io/i2pchat | natter.i2p | notbob.i2p | ramble.i2p | shreddit.i2p | cake.i2p | /msg an op for voice

#saltr

/2022/03/07

Online: 36

~dr|z3d

@RN

@eyedeekay

@orignal

+Titlacahuan

+Unbur

+acetone

+profetikla

+snex

+uop23ip

+weko

An0nm0n_

Arch

DeltaOreo

FreefallHeavens

Irc2PGuest10483

Irc2PGuest2827392

Irc2PGuest33877

Irc2PGuest34200

Irc2PGuest68850

Leopold

Nausicaa

Onn4l7h

Onn4|7h

ProRu

StormyCloudInc

anon1

anu

cumlord

itsjustme

limak

not_bob_afk

poriori

qend-irc2p

zzz2

wellicht oh well

itsjustme Good afternoon

dr|z3d hi itsjustme

itsjustme how are you dr|z3d? :)

dr|z3d not bad, thanks, you?

itsjustme I'm doing alright

dr|z3d good to hear

dr|z3d any motivation to do more cake?

itsjustme yeah maybe. What do you think is a nice feature to have now?

dr|z3d well, next feature, probably thumbnails for image files?

itsjustme hmmm

dr|z3d and better detection of filetype so you only present a view option where applicable.

dr|z3d currently, all files have both view and download options.

itsjustme just based on mime type?

dr|z3d sure, mimetype should be sufficient.

itsjustme oh right I was moving stuff to the database

itsjustme for settings and such

dr|z3d for view file, can we display the contents of something like zip file I wonder?

itsjustme I'd say not safely. One of the reasons I'm hesitant to do the thumbnails

dr|z3d so you can't create a thumbnail at upload time and then encrypt that too?

itsjustme Right now the server doesn't process the files at all

itsjustme The parsing is what I'm concerned about

dr|z3d you think there could be a hostile payload in a jpeg, for example?

itsjustme absolutely

itsjustme The risk is lower than opening a zip file though

itsjustme imo

term99 i think a thumbnail can be abused unless you burn it after 1 view

dr|z3d securityonline.info/php-jpeg-injector-injects-php-payloads-into-jpeg-images

dr|z3d stackoverflow.com/questions/13250471/can-a-gif-jpeg-file-contain-runnable-php-code

itsjustme I'm aware of how to prevent it and with the current setup of the script it shouldn't be exploitable but it does add a lot to the attach surface

term99 wb not_bob

not_bob Gtreetings. Can't stay. Need to deal with other things.

term99 roger, have a good day!

not_bob But, one of my random "Checking messages" thigns.

itsjustme term99: what is your opinion on thumbnails? good idea?

term99 once viewed, burn, else could be used for tmp cp storage for small files, people get their jollies off on anything

term99 well you delete after the first view anyways or x views

term99 personally im not a fan, download at your own time, view on your own time, don't need prying eyes when you just want to grab and go

term99 there thats my answer

itsjustme I can encrypt a thumnail seperatly like I do with the normal file

itsjustme it would be generated at the time of upload

dr|z3d term99: you'd only see the thumbnail if you have the url for the upload.

dr|z3d and that includes the site admin.

term99 can you make a hidden !important css of the img, so if they view link, thumbnail has a check option if checked then show box or something like that but not by default

term99 sounds like there's a plan already :)

dr|z3d currently, the most likely use case is that the uploader gives the recipient a direct link to the file.

dr|z3d what I'm suggesting is that the uploader could, optionally, give the user a link to the file info page instead, with a thumbnail embedded.

itsjustme I kinda feel like it should be an admin option with a warning

itsjustme defaultly off though

dr|z3d sure, that's an option. and doing some pre-processing of the file to determine if it's got any malicious payload attached wouldn't hurt, either.

term99 could also run suricata on your localhost to scan http traffic, it has a great scanner and it could just kill the conn if it finds something halting the upload

dr|z3d lol

dr|z3d that's a different ball game altogether.

dr|z3d cake itself should be self-contained, aside from required php libs.

term99 whats wrong with IDS/IPS layer tho?

dr|z3d nothing per se, except the overhead.

itsjustme yeah I want to keep it simple

dr|z3d but you definitely don't want that as a dependency.

term99 oh no, you could stack it without even touching cake

term99 anyways understandable

dr|z3d definitely want to mitigate this threat, itsjustme, given the thumbnails would likely be generated with gd, no? github.com/dlegs/php-jpeg-injector

itsjustme yeah that one shouldn't be an issue

itsjustme but I don't want to open the door to an unknown vulnerability either

dr|z3d indeed not.

dr|z3d gobiasinfosec.blog/2019/12/24/file-upload-attacks-php-reverse-shell also worth reviewing.