GIF PHP Exploit

**Erwin Moller** · Jun 22 '07, 12:25 PM

Re: GIF PHP Exploit

Schraalhans Keukenmeester wrote:

It's been mentioned here a couple of times in different threads regarding
image uploading. It's not new, but I found a clear explanation of what it
is and how to deal with it. Hope it helps some of you.
>
>

http://www.phpclasses.org/blog/post/...IF-images.html

>
Best!
Sh.

Thanks.
Good warning.
I always load and resample uploaded images in GD before saving them, so I
guess my apps are safe from gif/php exploit. (More luck than wisdom.)

Thanks.

Regards,
Erwin Moller

**gosha bine** · Jun 22 '07, 12:45 PM

Re: GIF PHP Exploit

On 22.06.2007 12:57 Schraalhans Keukenmeester wrote:

It's been mentioned here a couple of times in different threads regarding
image uploading. It's not new, but I found a clear explanation of what it
is and how to deal with it. Hope it helps some of you.
>

PHP security exploit with GIF images - PHP Classes

http://www.phpclasses.org/blog/post/67-PHP-security-exploit-with-GIF-images.html

This post talks about a PHP security exploit that can be performed using specially crafted GIF images that embed malicious PHP code. Advice is given on what to do and to not do to avoid the problem.

>
Best!
Sh.

How this exploit is related specifically to GIF files? You can insert
php code in any file and every upload script that doesn't check file
extensions is vulnerable.

--
gosha bine

extended php parser ~ http://code.google.com/p/pihipi
blok ~ http://www.tagarga.com/blok

**shimmyshack** · Jun 22 '07, 02:35 PM

Re: GIF PHP Exploit

On Jun 22, 1:41 pm, gosha bine <stereof...@gma il.comwrote:

On 22.06.2007 12:57 Schraalhans Keukenmeester wrote:
>

It's been mentioned here a couple of times in different threads regarding
image uploading. It's not new, but I found a clear explanation of what it
is and how to deal with it. Hope it helps some of you.

>

http://www.phpclasses.org/blog/post/...loit-with-GIF-...

>

Best!
Sh.

>
How this exploit is related specifically to GIF files? You can insert
php code in any file and every upload script that doesn't check file
extensions is vulnerable.
>
--
gosha bine
>
extended php parser ~http://code.google.com/p/pihipi
blok ~http://www.tagarga.com/blok

it isnt just a simple question of examining file extensions, see url
below for an example, there are of course others including execution
of php within jpeg comments, or just XSS within images. Some machines
are ok, some are not, depends on your setup, even serving image via
download file might not stop it on some setups.

http://milw0rm.com/video/watch.php?id=58-

**gosha bine** · Jun 22 '07, 03:45 PM

Re: GIF PHP Exploit

On 22.06.2007 16:28 shimmyshack wrote:

On Jun 22, 1:41 pm, gosha bine <stereof...@gma il.comwrote:

>On 22.06.2007 12:57 Schraalhans Keukenmeester wrote:
>>

>>It's been mentioned here a couple of times in different threads regarding
>>image uploading. It's not new, but I found a clear explanation of what it
>>is and how to deal with it. Hope it helps some of you.
>>http://www.phpclasses.org/blog/post/...loit-with-GIF-...
>>Best!
>>Sh.

>How this exploit is related specifically to GIF files? You can insert
>php code in any file and every upload script that doesn't check file
>extensions is vulnerable.
>>
>--
>gosha bine
>>
>extended php parser ~http://code.google.com/p/pihipi
>blok ~http://www.tagarga.com/blok

>
it isnt just a simple question of examining file extensions, see url
below for an example, there are of course others including execution
of php within jpeg comments, or just XSS within images. Some machines
are ok, some are not, depends on your setup, even serving image via
download file might not stop it on some setups.

http://milw0rm.com/video/watch.php?id=58-

>

Ok, but this has nothing to do with php. It's just a bug in (some
obsolete version of) internet explorer.

--
gosha bine

extended php parser ~ http://code.google.com/p/pihipi
blok ~ http://www.tagarga.com/blok

**shimmyshack** · Jun 22 '07, 03:45 PM

Re: GIF PHP Exploit

On Jun 22, 4:41 pm, gosha bine <stereof...@gma il.comwrote:

On 22.06.2007 16:28 shimmyshack wrote:
>
>
>

On Jun 22, 1:41 pm, gosha bine <stereof...@gma il.comwrote:

On 22.06.2007 12:57 Schraalhans Keukenmeester wrote:

>

>It's been mentioned here a couple of times in different threads regarding
>image uploading. It's not new, but I found a clear explanation of what it
>is and how to deal with it. Hope it helps some of you.
>>http://www.phpclasses.org/blog/post/...loit-with-GIF-...
>Best!
>Sh.
How this exploit is related specifically to GIF files? You can insert
php code in any file and every upload script that doesn't check file
extensions is vulnerable.

>

--
gosha bine

>

extended php parser ~http://code.google.com/p/pihipi
blok ~http://www.tagarga.com/blok

>

it isnt just a simple question of examining file extensions, see url
below for an example, there are of course others including execution
of php within jpeg comments, or just XSS within images. Some machines
are ok, some are not, depends on your setup, even serving image via
download file might not stop it on some setups.
http://milw0rm.com/video/watch.php?id=58-

>
Ok, but this has nothing to do with php. It's just a bug in (some
obsolete version of) internet explorer.
>
--
gosha bine
>
extended php parser ~http://code.google.com/p/pihipi
blok ~http://www.tagarga.com/blok

the other examples do have to do with php. I just didnt provide any
links for them.

**Rik** · Jun 22 '07, 03:55 PM

Re: GIF PHP Exploit

On Fri, 22 Jun 2007 12:57:32 +0200, Schraalhans Keukenmeester
<Schraalhans@th e.spamtrapexamp le.nlwrote:

It's been mentioned here a couple of times in different threads regarding
image uploading. It's not new, but I found a clear explanation of what it
is and how to deal with it. Hope it helps some of you.
>

PHP security exploit with GIF images - PHP Classes

http://www.phpclasses.org/blog/post/67-PHP-security-exploit-with-GIF-images.html

This post talks about a PHP security exploit that can be performed using specially crafted GIF images that embed malicious PHP code. Advice is given on what to do and to not do to avoid the problem.

>

I've seen these claims earlier, seems to have something to do with mostly
apache on Windows. Then again, I have not been able to reproduce these
kinds of vulnerabilities without instructing Apache to parse images for
PHP. Other people have claimed their servers do that automagically, I
haven't found the reason why.

--
Rik Wasmus

**Manuel Lemos** · Jun 23 '07, 07:15 AM

Re: GIF PHP Exploit

Hello,

on 06/22/2007 09:41 AM gosha bine said the following:

On 22.06.2007 12:57 Schraalhans Keukenmeester wrote:

>It's been mentioned here a couple of times in different threads regarding
>image uploading. It's not new, but I found a clear explanation of what it
>is and how to deal with it. Hope it helps some of you.
>>
>http://www.phpclasses.org/blog/post/...IF-images.html
>>
>>
>Best!
>Sh.

>
How this exploit is related specifically to GIF files? You can insert
php code in any file and every upload script that doesn't check file
extensions is vulnerable.

It is explained in the article. You can upload a specially crafted GIF
image that embeds PHP code. Many developers use PHP getimagesize()
function to validate that the image is GIF (or other types). The
getimagesize function will not fail because the crafted image is a valid
GIF.

Depending on you serve uploaded GIF files, the embedded PHP code may be
executed .

Using GD image manipulation functions may not save anybody from exploits
because the PHP code may be embedded in the image palette space. If
those GD functions preserve the original palette, the embedded PHP code
remains there.

--

Regards,
Manuel Lemos

Metastorage - Data object relational mapping layer generator

http://www.metastorage.net/

PHP Classes - Free ready to use OOP components written in PHP

Welcome to the PHP Classes Repository - PHP Classes

http://www.phpclasses.org/

Free PHP Classes and Objects 2026 Versions with PHP Example Scripts, PHP Tutorials, Download PHP Scripts, PHP articles, Remote PHP Jobs, Hire PHP Developers, PHP Book Reviews, PHP Language OOP Materials

**Jerry Stuckle** · Jun 23 '07, 11:35 AM

Re: GIF PHP Exploit

Manuel Lemos wrote:

Hello,
>
on 06/22/2007 09:41 AM gosha bine said the following:

>On 22.06.2007 12:57 Schraalhans Keukenmeester wrote:

>>It's been mentioned here a couple of times in different threads regarding
>>image uploading. It's not new, but I found a clear explanation of what it
>>is and how to deal with it. Hope it helps some of you.
>>>
>>http://www.phpclasses.org/blog/post/...IF-images.html
>>>
>>>
>>Best!
>>Sh.

>How this exploit is related specifically to GIF files? You can insert
>php code in any file and every upload script that doesn't check file
>extensions is vulnerable.

>
It is explained in the article. You can upload a specially crafted GIF
image that embeds PHP code. Many developers use PHP getimagesize()
function to validate that the image is GIF (or other types). The
getimagesize function will not fail because the crafted image is a valid
GIF.
>
Depending on you serve uploaded GIF files, the embedded PHP code may be
executed .
>
Using GD image manipulation functions may not save anybody from exploits
because the PHP code may be embedded in the image palette space. If
those GD functions preserve the original palette, the embedded PHP code
remains there.
>

I don't know anyone in their right mind who would set up a server to
parse gif's as PHP code.

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attgl obal.net
=============== ===

**Manuel Lemos** · Jun 23 '07, 10:15 PM

Re: GIF PHP Exploit

Hello,

on 06/23/2007 08:25 AM Jerry Stuckle said the following:

>>>It's been mentioned here a couple of times in different threads
>>>regarding
>>>image uploading. It's not new, but I found a clear explanation of
>>>what it
>>>is and how to deal with it. Hope it helps some of you.
>>>>
>>>http://www.phpclasses.org/blog/post/...IF-images.html
>>>>
>>>>
>>>>
>>>Best!
>>>Sh.
>>How this exploit is related specifically to GIF files? You can insert
>>php code in any file and every upload script that doesn't check file
>>extensions is vulnerable.

>>
>It is explained in the article. You can upload a specially crafted GIF
>image that embeds PHP code. Many developers use PHP getimagesize()
>function to validate that the image is GIF (or other types). The
>getimagesize function will not fail because the crafted image is a valid
>GIF.
>>
>Depending on you serve uploaded GIF files, the embedded PHP code may be
>executed .
>>
>Using GD image manipulation functions may not save anybody from exploits
>because the PHP code may be embedded in the image palette space. If
>those GD functions preserve the original palette, the embedded PHP code
>remains there.
>>

>
I don't know anyone in their right mind who would set up a server to
parse gif's as PHP code.

You are missing the point. Developers are not parsing GIFs as PHP code
intentionally.

Some less informed developers are serving uploaded GIFs in a insecure
ways because that triggers the execution of PHP code that may embedded
inside the GIF data, for instance as a stream of bytes in the GIF
palette like this:.

GIF98a other binary data and then GIF palette here<?php
readfile('/etc/passwd'); ?more binary data.

That is explained in the article.

--

Regards,
Manuel Lemos

Metastorage - Data object relational mapping layer generator

http://www.metastorage.net/

PHP Classes - Free ready to use OOP components written in PHP

Welcome to the PHP Classes Repository - PHP Classes

http://www.phpclasses.org/

Free PHP Classes and Objects 2026 Versions with PHP Example Scripts, PHP Tutorials, Download PHP Scripts, PHP articles, Remote PHP Jobs, Hire PHP Developers, PHP Book Reviews, PHP Language OOP Materials

**Jerry Stuckle** · Jun 24 '07, 02:35 AM

Re: GIF PHP Exploit

Manuel Lemos wrote:

Hello,
>
on 06/23/2007 08:25 AM Jerry Stuckle said the following:

>>>>It's been mentioned here a couple of times in different threads
>>>>regarding
>>>>image uploading. It's not new, but I found a clear explanation of
>>>>what it
>>>>is and how to deal with it. Hope it helps some of you.
>>>>>
>>>>http://www.phpclasses.org/blog/post/...IF-images.html
>>>>>
>>>>>
>>>>>
>>>>Best!
>>>>Sh.
>>>How this exploit is related specifically to GIF files? You can insert
>>>php code in any file and every upload script that doesn't check file
>>>extensions is vulnerable.
>>It is explained in the article. You can upload a specially crafted GIF
>>image that embeds PHP code. Many developers use PHP getimagesize()
>>function to validate that the image is GIF (or other types). The
>>getimagesiz e function will not fail because the crafted image is a valid
>>GIF.
>>>
>>Depending on you serve uploaded GIF files, the embedded PHP code may be
>>executed .
>>>
>>Using GD image manipulation functions may not save anybody from exploits
>>because the PHP code may be embedded in the image palette space. If
>>those GD functions preserve the original palette, the embedded PHP code
>>remains there.
>>>

>I don't know anyone in their right mind who would set up a server to
>parse gif's as PHP code.

>
You are missing the point. Developers are not parsing GIFs as PHP code
intentionally.
>

No, I'm not.

Some less informed developers are serving uploaded GIFs in a insecure
ways because that triggers the execution of PHP code that may embedded
inside the GIF data, for instance as a stream of bytes in the GIF
palette like this:.
>

That's their problem. If you don't know enough about security to lock
your house, you have little right to complain when someone walks in and
steals your TV.

GIF98a other binary data and then GIF palette here<?php
readfile('/etc/passwd'); ?more binary data.
>
That is explained in the article.
>

I understand the article. What I don't understand is why this would be
a problem to anyone with a bit of sense.

For instance - /etc/passwd does NOT have passwords in it in a modern
Linux system. Those are in /etc/shadow, which is only readable by root.

And even if /etc/passwd had passwords, those are encrypted (actually,
hashed), and even if they were read one would have to go through a lot
of gyrations to determine a compatible password.

A bunch of hype for the truly uninformed, IMHO.

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attgl obal.net
=============== ===

**gosha bine** · Jun 24 '07, 09:35 PM

Re: GIF PHP Exploit

Manuel Lemos wrote:

Hello,
>
on 06/22/2007 09:41 AM gosha bine said the following:

>On 22.06.2007 12:57 Schraalhans Keukenmeester wrote:

>>It's been mentioned here a couple of times in different threads regarding
>>image uploading. It's not new, but I found a clear explanation of what it
>>is and how to deal with it. Hope it helps some of you.
>>>
>>http://www.phpclasses.org/blog/post/...IF-images.html
>>>
>>>
>>Best!
>>Sh.

>How this exploit is related specifically to GIF files? You can insert
>php code in any file and every upload script that doesn't check file
>extensions is vulnerable.

>
It is explained in the article. You can upload a specially crafted GIF
image that embeds PHP code. Many developers use PHP getimagesize()
function to validate that the image is GIF (or other types). The
getimagesize function will not fail because the crafted image is a valid
GIF.
>
Depending on you serve uploaded GIF files, the embedded PHP code may be
executed .
>
Using GD image manipulation functions may not save anybody from exploits
because the PHP code may be embedded in the image palette space. If
those GD functions preserve the original palette, the embedded PHP code
remains there.
>

In your reply, replace "GIF" with any other format of choice (doc, pdf
etc) and "getimagesi ze" with "mime_content_t ype" or similar. Does that
change anything?

As long as you allow server-side execution of user-supplied files,
you're vulnerable. No matter in what format the files come.

--
gosha bine

extended php parser ~ http://code.google.com/p/pihipi
blok ~ http://www.tagarga.com/blok

GIF PHP Exploit

GIF PHP Exploit

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment