PHP Security Exploit With GIF Images

June 22, 2007

News

p. There is a new blog post in the PHPClasses site that talks about a PHP security exploit that can be performed using specially crafted GIF images that embed malicious PHP code.

bq. I am writing this because it is very important to spread the word about this PHP security exploits that can used to abuse from sites written by many developers that are not well aware of security issues.

p. Advice is given on what to do and to not do to avoid the problem.

5 Responses to “PHP Security Exploit With GIF Images”

  1. justdave Says:

    Thanks ml for explaining the exploit. I must have misunderstood the problem. It still does boil down to never trusting user supplied input. (and I’ve had my coffee quota this morning so all is good) lol

    So to sum things up if an image needs to be served up by php it’s best to read the file into the buffer for output and not simply include it for use. Correct?

    Cheers,
    Dave

  2. ml Says:

    justdave, all security exploits only affect sites that use poorly written code. This is why it is necessary to alert people that write poorly written code. If this does not affect your sites, good. Otherwise, you may want to pay more attention to the techniques attackers may use.

    For instance, relying on the MIME type sent by the browser for an uploaded file is not a reliable way to protect yourself, because that information comes from the browser and the attacker may spoof the content type.

    Even if you check the uploaded file extension, you may still be subject of the exploit. It depends on how you serve the uploaded files. As explained in the article, if you use include/require to serve uploaded GIF files, you may be triggering the execution malicious PHP code embedded in the GIF files.

    This may sound silly, but some developers use include and require to serve files that are not PHP scripts.

    Anyway, this exploit is not exactly old news. What is new is that it was discovered that is possible to craft a perfectly valid GIF file that embeds PHP code in the palette section of the image file.

    Since the image is valid, the PHP getimagesize will succeed. Many sites use getimagesize as the sole method to discard insecure files that are expected to be images. Alerting for this fact is the purpose of warning for this exploit possibility, as it was already used attack some PHP sites.

  3. justdave Says:

    I can’t believe this blog post got the attention it did. This sort of exploit is old news and should only affect poorly written code. Use of move_uploaded_file, inspecting the file’s mime-type against a white list of allowed types and enforcing an alphanumeric only name along with the correct file extension will avoid this exploit.

    I’m not sure why this irked me this morning. Could be the lack of coffee. lol

  4. justdave Says:

    I can’t believe this blog post got the attention it did. This sort of exploit is old news and should only affect poorly written code. Use of move_uploaded_file, inspecting the file’s mime-type against a white list of allowed types and enforcing an alphanumeric only name along with the correct file extension will avoid this exploit.

    I’m not sure why this irked me this morning. Could be the lack of coffee. lol

  5. bate23 Says:

    I know about this since 2 month i think. I got 3 weeks ago a nice blog post about this exploit/security risk here:

    http://ha.ckers.org/blog/20070604/passing-malicious-php-through-getimagesize/