|
|
Posted by Jerry Stuckle on 06/24/07 02:27
Manuel Lemos wrote:
> Hello,
>
> on 06/23/2007 08:25 AM Jerry Stuckle said the following:
>>>>> It's been mentioned here a couple of times in different threads
>>>>> regarding
>>>>> image uploading. It's not new, but I found a clear explanation of
>>>>> what it
>>>>> is and how to deal with it. Hope it helps some of you.
>>>>>
>>>>> http://www.phpclasses.org/blog/post/67-PHP-security-exploit-with-GIF-images.html
>>>>>
>>>>>
>>>>>
>>>>> Best!
>>>>> Sh.
>>>> How this exploit is related specifically to GIF files? You can insert
>>>> php code in any file and every upload script that doesn't check file
>>>> extensions is vulnerable.
>>> It is explained in the article. You can upload a specially crafted GIF
>>> image that embeds PHP code. Many developers use PHP getimagesize()
>>> function to validate that the image is GIF (or other types). The
>>> getimagesize function will not fail because the crafted image is a valid
>>> GIF.
>>>
>>> Depending on you serve uploaded GIF files, the embedded PHP code may be
>>> executed .
>>>
>>> Using GD image manipulation functions may not save anybody from exploits
>>> because the PHP code may be embedded in the image palette space. If
>>> those GD functions preserve the original palette, the embedded PHP code
>>> remains there.
>>>
>> I don't know anyone in their right mind who would set up a server to
>> parse gif's as PHP code.
>
> You are missing the point. Developers are not parsing GIFs as PHP code
> intentionally.
>
No, I'm not.
> Some less informed developers are serving uploaded GIFs in a insecure
> ways because that triggers the execution of PHP code that may embedded
> inside the GIF data, for instance as a stream of bytes in the GIF
> palette like this:.
>
That's their problem. If you don't know enough about security to lock
your house, you have little right to complain when someone walks in and
steals your TV.
> GIF98a other binary data and then GIF palette here<?php
> readfile('/etc/passwd'); ?> more binary data.
>
> That is explained in the article.
>
I understand the article. What I don't understand is why this would be
a problem to anyone with a bit of sense.
For instance - /etc/passwd does NOT have passwords in it in a modern
Linux system. Those are in /etc/shadow, which is only readable by root.
And even if /etc/passwd had passwords, those are encrypted (actually,
hashed), and even if they were read one would have to go through a lot
of gyrations to determine a compatible password.
A bunch of hype for the truly uninformed, IMHO.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
Navigation:
[Reply to this message]
|