|
|
Posted by gosha bine on 06/24/07 21:28
Manuel Lemos wrote:
> Hello,
>
> on 06/22/2007 09:41 AM gosha bine said the following:
>> On 22.06.2007 12:57 Schraalhans Keukenmeester wrote:
>>> It's been mentioned here a couple of times in different threads regarding
>>> image uploading. It's not new, but I found a clear explanation of what it
>>> is and how to deal with it. Hope it helps some of you.
>>>
>>> http://www.phpclasses.org/blog/post/67-PHP-security-exploit-with-GIF-images.html
>>>
>>>
>>> Best!
>>> Sh.
>> How this exploit is related specifically to GIF files? You can insert
>> php code in any file and every upload script that doesn't check file
>> extensions is vulnerable.
>
> It is explained in the article. You can upload a specially crafted GIF
> image that embeds PHP code. Many developers use PHP getimagesize()
> function to validate that the image is GIF (or other types). The
> getimagesize function will not fail because the crafted image is a valid
> GIF.
>
> Depending on you serve uploaded GIF files, the embedded PHP code may be
> executed .
>
> Using GD image manipulation functions may not save anybody from exploits
> because the PHP code may be embedded in the image palette space. If
> those GD functions preserve the original palette, the embedded PHP code
> remains there.
>
In your reply, replace "GIF" with any other format of choice (doc, pdf
etc) and "getimagesize" with "mime_content_type" or similar. Does that
change anything?
As long as you allow server-side execution of user-supplied files,
you're vulnerable. No matter in what format the files come.
--
gosha bine
extended php parser ~ http://code.google.com/p/pihipi
blok ~ http://www.tagarga.com/blok
Navigation:
[Reply to this message]
|