Can Viruses be uploaded to server using upload forms and what can be the impact?

Question

I'm implementing an upload form so that my users can upload a background image to my website.

I've never really thought about it before, but I presume that a virus could be uploaded in an image format using my form.

Is it possible and is it likely to bring my website down or leave my users' data vulnerable?

• Can people upload dangerous viruses (I'm limiting the upload to jpg, png, bmp 800kb)
• What can I do to protect myself?
• Do most hosts have anti-virus built-in?
• What steps should I take with my code or server to prevent such an event, if anything?
• If a user uploads a virus file to my server and it is shown as the background, could this cause implications for people using the site, or wouldn't it get this far?

I'm using PHP and a Linux Server

Answer 1

As long as you don't execute any object that arrives from a client application, you should be safe, at least on the server side.

On the client side, things can get iffy, but generally, it shouldn't be a problem.

If you're feeling paranoid, however, running the files through a filter that only accepts image files might be a good idea, that way you are sure to not have anything else.

Answer 2

As long as you don't do anything with the images on your server, you should be safe. No, hosts do not have build in anti-virus. Most of them run on a linux operation system and cannot be harmed by normal viruses.

However there is malware in image files. (example here). I would recommend to only allow upload of trusted users. Not only because of malware protection but because of copyright issues as well