Scripted thumbnail generation: security perspective

Money gone!
While searching for something on the net, I came across some scripts that generate image thumbnail on the fly.

For example: http://tech.mikelopez.info/2006/03/02/php-image-resize-script/.

While using such scripts we should be aware of the security point of view: your site can easily become a proxy for other people or websites.

Another similar script is here: http://www.findmotive.com/2006/08/29/create-square-image-thumbnails-with-php/.

The normal way to use these scripts is to upload the script onto a web-server (let us say at http://domain.com/imgsize.php). Then, wherever you need to include images on your webpage (for example http://domain.com/image.jpg), you need to add something like:

<img src='http://domain.com/imgsize.php?img=http://domain.com/image.jpg' alt='test' ... />

that is,

<img src='<path_to_script>?img=<path_to_image>' ... />

The entire point behind using the script rather than directly using the image in the <img> tag is to save some bandwidth, and to make the page faster loading. The original image is larger and we need a smaller version on the page, so rather than letting the client browser reduce the size, we reduce it on the server.

However, by doing this, you are lending your domain to those people who want to route illegal traffic. Or, they can use your script to access traffic from behind a proxy that prevents certain images to be accessed. This can either affect your website’s credibility or burn out your bandwidth.

Does that mean such scripts should not be used? No, they can be used after incorporating some security into them. There are various ways to do that, and one of the simplest ways of doing so is explained below.

The page where the URLs are being generated (so where the IMG tag is being generated) should ‘sign’ the URLs like so:

$url = '...';
$sign = md5( 'password' . $url );

(replace password with the password that you want to keep)

This signature should be added to the URL for the image:

<img src='<path_to_script>?img=<path_to_image>&passph=<the_sign>' ... />

The script (imgsize.php) should be modified to recompute the signature and match the recomputed signature to the one that comes from the URL. If they match, provide the access and if not, display an error message.

Please contact me through comments if you need assistance on implementing this approach. This suggestion does not come with any warranty (please use it at your own risk) and it does not provide 100% protection. If someone is able to guess your password, or look at your source code, he can also generate signatures just like you can. However, this does provide a minimal security layer that was missing in the original script: you have locked your house.

Share

―――――――――――X――――――――――

About the Author

3 Responses to “ Scripted thumbnail generation: security perspective ”

  1. Hi Hardeep,

    I just downloaded this script:

    http://tech.mikelopez.info/2006/03/02/php-image-resize-script/

    and then came across your post (Thank you very much!!). Can you please provide the full implementation of your URL-sign approach to the imgsize.php script?

    How to recompute the signature and match the recomputed signature to the one that comes from the URL?

    Cheers,
    Elli

  2. Hello Elli

    I will send out the script to your email ID given, its not pretty enough (yet!) to be posted here.

    Regards
    DW

    PS: Anyone else who needs the full signature-and-recompute-validation script can comment here.

  3. Noticed that Facebook uses a similar mechanism

Leave a Reply

You can use these XHTML tags: <a href="" title=""> <abbr title=""> <acronym title=""> <blockquote cite=""> <code> <em> <strong>

Subscribe without commenting