ID: 37467 User updated by: paul at castlecops dot com Reported By: paul at castlecops dot com -Status: Feedback +Status: Open Bug Type: EXIF related Operating System: Linux PHP Version: 4.4.2 New Comment:
I have discussed this issue with Nir Yariv and [EMAIL PROTECTED] from Zend and was asked to open a report. Further information can be obtained from them including the JPG poc. Firewall companies and ISPs are already denying this JPG poc transmission across its networks. I repeat: exif functions are not required, nor is exif required to be compiled into PHP. It can be entirely disabled. getimagesize() doesn't flag this file as false because it is a valid JPEG. The Exif header in it are also valid. PHP should not permit itself to process PHP payloads inside JPEGs (or TIFFs for that matter as these both allow Exif). The original article that had something to do with this is found at techworld: www.techworld.com/security/news/index.cfm?NewsID=3514 A followup POC is also available here: retrogod.altervista.org/phpbb_2020_admin_xpl.html Previous Comments: ------------------------------------------------------------------------ [2006-05-16 21:29:35] [EMAIL PROTECTED] Thank you for this bug report. To properly diagnose the problem, we need a short but complete example script to be able to reproduce this bug ourselves. A proper reproducing script starts with <?php and ends with ?>, is max. 10-20 lines long and does not require any external resources such as databases, etc. If possible, make the script source available online and provide an URL to it here. Try to avoid embedding huge scripts into the report. ------------------------------------------------------------------------ [2006-05-16 21:25:19] paul at castlecops dot com Description: ------------ Affected Versions: PHP 5.1.4 and 4.4.2 The PHP server evaluates code inside a technically valid JPEG's technically valid Exif header. It'll evaluate it even if exif is not compiled into PHP. Reproduce code: --------------- I need to attach it. Expected result: ---------------- The POC jpg will write a file to the filesystem and include whatever PHP code there is. Anything is possible given the permissions of the web server. Actual result: -------------- The POC jpg will write a file to the filesystem and include whatever PHP code there is. Anything is possible given the permissions of the web server. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=37467&edit=1
