Manuel Lemos - 2007-06-21 04:16:04 - In reply to message 1 from Gonzalo
BTW, the problem is not allowing or not allowing PHP files to be uploaded.
The problem is that many PHP developers use the getimagesize function to validate uploaded image sizes. A valid GIF file can embed PHP code and would not be detected as invalid by the getimagesize function.
As mentioned in the article, this would not be a problem if the developers would not make the image files available for access directly with the original file names. If the file name is .php or .php3 or anything that Apache processes as a PHP request, sites may be abused.
Even when the file name extension is validated, some developers use the include or require functions to serve the images. In that case, the sites may also be abused.
As you may see, the developers do not need to be so stupid to make such security mistakes.
fate - 2007-06-21 21:56:01 - In reply to message 3 from Manuel Lemos
erm Im not claiming to be a great coder or such, But I did have an issue like this of people attempting to upload double extention filenames, I run a simply script to parse the file name and check last extention for validation This may seem simple or such but it works...
Manuel Lemos - 2007-06-21 22:03:28 - In reply to message 4 from fate
That may not be sufficient depending on how you serve the files to the users.
As mentioned in the article, if you use include or require to serve the uploaded images, you are open to security exploits. It may sound silly but some developers do that.
The problem is that valid GIF files may still contain by sequences inside of them like this <?php readfile('/etc/passwd'); ?> . Once PHP encounters these bytes in the GIF file that is included, that code is run.
Using getimagesize() to validate the image file would not prevent the problem because the file is a valid GIF image.
There are reports of sites being abused with exploits like this. So, depending on cautious you are, you may or not be subject to this exploit.
starbuck - 2009-10-08 19:11:34 - In reply to message 7 from David
"Sorry for digging such an old topic, but why on earth would someone use include() or require() to serve a picture? Sounds a bit like "hack me please, btw here is my password" security practice..."
Actually, while the threat is correctly identified (someone uploading GIF pictures with injected php code), the vector isn't.
The scenario where developers use include/require on gif pictures mostly aims at dealing with retards. Such measures won't help them protecting their website. This is due to the very simple fact that someone who executes gif pictures through require/include API calls needs a lot more training than just reading posts about PHP security.
The most probable scenario, however, occurs when websites are hosted on large public hosting servers, managed by weak admins dealing with retard users and they get forced to configure all extensions to pass through the PHP parser (this happens,believe me)
Another situation is when you need to enforce proper access control on people who directly type the URL of confidential documents, such as .docx, .pdf or .gif documents. Some developers chose a "parse all" strategy to make sure there is always some script that gets executed.
These are the 2 additional but nontheless, important, vectors that lead to GIF images upload being an exploit tool.
The most appropriate measure consists of properly configuring the web server, ie: disabling script execution within the upload folders. With this measure implemented, even weak validation code cannot turn an uploaded document into a server-side executed bomb. However, proper code still helps and the author's recommendations should be followed carefully.