PHP Classes

PHP security exploit with GIF images

Recommend this page to a friend!
  Blog PHP Classes blog   RSS 1.0 feed RSS 2.0 feed   Blog PHP security exploit ...   Post a comment Post a comment   See comments See comments (28)   Trackbacks (13)  

Author:

Viewers: 1,261

Last month viewers: 404

Categories: PHP Tutorials, PHP Security

This post talks about a PHP security exploit that can be performed using specially crafted GIF images that embed malicious PHP code. Advice is given on what to do and to not do to avoid the problem.




Loaded Article
Contents:

- The PHP GIF security issue
- Avoiding the problem
- Other things you should not do
- More information


I usually do not write in this blog about general PHP issues unless it is somehow related with the PHPClasses site.

However, this time I feel that I should use the fact that new blog posts here gets great exposure, as they are notified by e-mail to over 220,000 PHP developers. So I am writing this because it is very important to spread the word about this PHP security exploits that can used to abuse from sites written by many developers that are not well aware of security issues.

Despite in the PHPClasses site there is a great concern about security, I am not really a security expert. More than anything, I am just passing the word.


- The PHP GIF security issue

The problem that was discovered is that you can insert PHP code in the middle of a GIF image. That would not be a problem if it was not for the insecure ways some developers use to serve images upload by their users.

Usually, uploaded files are moved to a given directory. If the site then serves the images directly from that directory and preserve the original file name, the site may be open for security exploits.

For instance, lets say the attacker uploads an image named image.gif.php . The image may be moved to the images directory. If the the Web server is configured as usual to process requests with files .php extension, and the site serves the image with the following URL, the request will execute the PHP code inside the image.

yoursite.com/images/image.gif.php


- Avoiding the problem

The basic solution to avoid this problem is to either serve images only with actual extensions of image files (.gif, .png, .jpeg), or protect the upload directory to avoid direct requests to where the images are located.

Depending on your PHP setup, it may or may not be easy to protect your uploaded images directory. In Apache it can be done using a .htaccess file with lines like this:

<Files images>
deny from all
</Files>

Alternatively you can use other PHP functions to serve image files as images, and so, avoid triggering the execution of PHP scripts embedded in image files like these readfile.

php.net/readfile

$file = 'image.gif.php';

Header('Content-Type: image/gif');

readfile('images/'.basename($file));


Note the use of basename function to avoid injection of malicious paths. This way, only files from inside the images directory will be served, even if the original file named was forged to steal server sensitive files like /etc/passwd .


- Other things you should not do

Usually the getimagesize function is used to verify whether the uploaded file is a valid image.

In this case it would not work because the image can still be valid and have a sequence of bytes that can be interpreted as PHP. It is not wrong to use the getimagesize function. Just be aware that it does not avoid the problem.

Another thing that I have seen people doing is to use the include or require functions to serve images stored on the server this. Obviously, this will trigger the execution of PHP code embedded in the image file.

Checking the file name extension before accepting the upload files would not avoid the security hole opened by using include or require to serve the image file on the server side directory. Always use readfile or equivalent to serve the images.


- More information

Although this kind of exploit it is not exactly new, I am afraid some sites are still vulnerable due to bad security practices of their developers.

You may learn more about this security issue.

isc.sans.org/diary.html?storyid=299 ...

isc.sans.org/diary.html?storyid=300 ...

I read about it first here:

myspaceinfosec.blogspot.com/2007/06 ...

Finally, in case you are wondering, the PHPClasses site is not affected by these problems because it makes sure that any uploaded files are served via PHP scripts. Those scripts use fopen and fread functions to serve the files.

Actually the site even uses a separate domain to avoid eventual cross-site scripting exploits that could be tried by uploading forged HTML or Flash files. This was explained

phpclasses.org/blog/post/55-Improve ...

There is a more recent article about defensive programming practices that also provide good advice, specifically about processing external systems data properly.

phpclasses.org/blog/post/65-8-defen ...

If you still have questions or comments, feel free to post a comment about this article.



You need to be a registered user or login to post a comment

1,616,683 PHP developers registered to the PHP Classes site.
Be One of Us!

Login Immediately with your account on:



Comments:

12. PHP Tutorials, PHP Security - abigailscotty (2014-05-12 20:37)
PHP Application Development AgileInfoways.com... - 1 reply
Read the whole comment and replies

11. prevent gif injection - Martin Dimitrov (2011-10-21 22:23)
another way to prevent it... - 0 replies
Read the whole comment and replies

4. GIF security - Luis Ferro (2011-05-25 01:12)
Slower image serving problem... - 3 replies
Read the whole comment and replies

8. Are you serious? - Gonzalo (2009-10-08 19:11)
it's NOT a PHP security exploit...... - 8 replies
Read the whole comment and replies

10. PHP security exploit .gif - DomainMasters.NET (2007-06-24 21:42)
The old jpeg issue revisited?... - 0 replies
Read the whole comment and replies

9. PHP security exploit with GIF images - Yin Kok Chong (2007-06-24 21:41)
The security problems are rarely come from the PHP itself... - 0 replies
Read the whole comment and replies

7. checking the file extension - ed (2007-06-20 09:59)
Is checking the file extesion enough to protect against attacts... - 1 reply
Read the whole comment and replies

2. GIF image Exploit - Loki_ (2007-06-20 09:55)
Simple Solution... - 2 replies
Read the whole comment and replies

6. Security with image functions - Peter (2007-06-20 09:54)
Secure your uploads with imagecreatefrom... - 0 replies
Read the whole comment and replies

5. Re: PHP security exploit with GIF images - Emilis Dambauskas (2007-06-20 08:29)
just use Apache config to defend against malicious uploads... - 0 replies
Read the whole comment and replies


Trackbacks:

13. images security (2011-08-16 09:13)
How I can check all my images on server, they don’t prepared with maulicious code?...

12. Subida de archivos segura con PHP (2011-04-12 16:30)
El otro día vi un buen artículo sobre cómo programar una subida de archivos de forma que no entrañe riesgos sobre la seguridad de la página web. Y voy a pasar a traducirlo con un bonito añadido al final...

11. The new powerplant... (2009-11-20 21:47)
obviously we have back ups, but they only run once a day and they are a pain in the ass to restore, not to mention find back doors that someone may have left. Original Source: The new powerplant...

10. Defending from the GIF files from hackers (2009-10-29 11:21)
I found a very good solution for injection php code in GIF files...

9. PHP GIF Image Security Issue (2009-06-25 02:43)
I just want to share with other PHP Guys out there concerning the PHP GIF Image security issue...

8. Gif Injection (2008-01-30 09:07)
Recebi um artigo nesta manhã, do PHP Classes, sobre uma falha de segurança em PHP usando imagens *.gif, onde um usuário poderia inserir códigos php malicioso na imagem...

7. php - using fopen instead of upload to import external images to website over http (2007-10-24 15:51)
If you want to let your website users add their own images to your website you could offer them the option to upload a file using an html form - remembering to treat this ‘external data’ with extreme caution...

6. Newbies, don t upload exploits with your images! (2007-07-19 11:54)
Manuel Lemos from phpClasses.org has written an excellent post about about the risks when allowing users to upload images...

5. PHP security exploit with GIF images (2007-06-20 11:24)
On the PHPClasses site today, there’s a new post that points out an issue that could happen with dyanamic GIF creation in a PHP script leading to a security exploit...

4. Gif Injection (2007-06-20 07:29)
Recebi um artigo nesta manhã, do PHP Classes, sobre uma falha de segurança em PHP usando imagens *.gif, onde um usuário poderia inserir códigos php malicioso na imagem...

3. PHP security exploit with GIF images (2007-06-20 06:13)
On the PHPClasses site today, there's a new post that points out an issue that could happen with dyanamic GIF creation in a PHP script leading to a security exploit...

2. GIF Injection (2007-06-19 22:33)
Okay, so I was just reading around on the internet and stumbled across a few different posts...

1. PHP Inside Image Files (2007-06-19 21:28)
Interesting new hack in the wild - embedding PHP (or other*) code inside an otherwise valid image file...



  Blog PHP Classes blog   RSS 1.0 feed RSS 2.0 feed   Blog PHP security exploit ...   Post a comment Post a comment   See comments See comments (28)   Trackbacks (13)