I was doing a little reading and ran into a vulnerability of images through something called Gifar.
Those are images combined with java jar files that can access your browser
GIFARs can be files other than combined GIF+JAR files, they could also be JPG+JAR, DOC+JAR, etc.
you can do some reading by searching Gifar on google or checking last years Black Hat conference:
Black Hat Sneak Preview | Zero Day | ZDNet.com
Sun has fixed this vulnerability in java, but you dont know if your users have installed the latest java plugin for their browser...
to be 100% sure nobody uploads a gifar to your site,
In vbgallery you have 2 possibilities..
Set: Save Original Files
(drawback: you loose the original
and smaller files wont be resized => keeping potential gifar danger..)
Set the Original Image Quality
from -1 to something like 75
the original will then be processed and gd2 or imagemagic will create a new file without malicious code...
BUT i am not sure if in that case gif or png images are really reprocessed..
as the quality option only affects jpgs. ( reprocessing is excluded in vbgallery: AND $imageinfo['numericaltype'] != 1)
So i suggest
that reprocessing of gifs is allowed and forced in next vbgallery.
I would also Suggest
, that a re-size original option (with max sizes) be added to next version.. ( this has nothing to do with vulnerabilies)
PS: i thought about another way... but it looks like a memory hog.. :
read the file into a string.. search for string like ".jar" or ".class" (is usually at the end of the code). if yes, reprocess the image..