ID: 37467 Updated by: [EMAIL PROTECTED] Reported By: paul at castlecops dot com -Status: Open +Status: Bogus Bug Type: EXIF related Operating System: Linux PHP Version: 4.4.2 New Comment:
Paul, we do not know Nir neither Poc. We are php.net, not Zend. Now, if you want us to help you to fix this problem, we need: - a short PHP script to reproduce your problem (using only the image and exif functions) - a set of images Please reopen this bug only if you provide these two things. If you can't provide them, leave it bogus and ask Nir to explain you what we need. Thank you. Previous Comments: ------------------------------------------------------------------------ [2006-05-16 21:34:32] paul at castlecops dot com @tony2001: Nir should have a copy I emailed him. Please let me know your email so I can send a copy immediately. ------------------------------------------------------------------------ [2006-05-16 21:32:41] paul at castlecops dot com I have discussed this issue with Nir Yariv and [EMAIL PROTECTED] from Zend and was asked to open a report. Further information can be obtained from them including the JPG poc. Firewall companies and ISPs are already denying this JPG poc transmission across its networks. I repeat: exif functions are not required, nor is exif required to be compiled into PHP. It can be entirely disabled. getimagesize() doesn't flag this file as false because it is a valid JPEG. The Exif header in it are also valid. PHP should not permit itself to process PHP payloads inside JPEGs (or TIFFs for that matter as these both allow Exif). The original article that had something to do with this is found at techworld: www.techworld.com/security/news/index.cfm?NewsID=3514 A followup POC is also available here: retrogod.altervista.org/phpbb_2020_admin_xpl.html ------------------------------------------------------------------------ [2006-05-16 21:29:35] [EMAIL PROTECTED] Thank you for this bug report. To properly diagnose the problem, we need a short but complete example script to be able to reproduce this bug ourselves. A proper reproducing script starts with <?php and ends with ?>, is max. 10-20 lines long and does not require any external resources such as databases, etc. If possible, make the script source available online and provide an URL to it here. Try to avoid embedding huge scripts into the report. ------------------------------------------------------------------------ [2006-05-16 21:25:19] paul at castlecops dot com Description: ------------ Affected Versions: PHP 5.1.4 and 4.4.2 The PHP server evaluates code inside a technically valid JPEG's technically valid Exif header. It'll evaluate it even if exif is not compiled into PHP. Reproduce code: --------------- I need to attach it. Expected result: ---------------- The POC jpg will write a file to the filesystem and include whatever PHP code there is. Anything is possible given the permissions of the web server. Actual result: -------------- The POC jpg will write a file to the filesystem and include whatever PHP code there is. Anything is possible given the permissions of the web server. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=37467&edit=1
