ID: 37467
User updated by: paul at castlecops dot com
Reported By: paul at castlecops dot com
-Status: Feedback
+Status: Open
Bug Type: EXIF related
Operating System: Linux
PHP Version: 4.4.2
New Comment:
Tony I have sent you the jpg poc just now. I can post the PHP code
that generates the JPG, but that is 76 lines. The bulk of that code
which generates this payload jpg uses chr().
Previous Comments:
------------------------------------------------------------------------
[2006-05-16 21:43:14] [EMAIL PROTECTED]
Please provide short and complete reproduce script.
20Kb exploits, which are actually exploits for some particular
application, not PHP itself, aren't really useful and do not prove
anything.
>Nir should have a copy I emailed him. Please let me know
>your email so I can send a copy immediately.
My email is [EMAIL PROTECTED]
------------------------------------------------------------------------
[2006-05-16 21:43:11] [EMAIL PROTECTED]
Paul, we do not know Nir neither Poc. We are php.net, not Zend.
Now, if you want us to help you to fix this problem, we need:
- a short PHP script to reproduce your problem (using only
the image and exif functions)
- a set of images
Please reopen this bug only if you provide these two things. If you
can't provide them, leave it bogus and ask Nir to explain you what we
need. Thank you.
------------------------------------------------------------------------
[2006-05-16 21:34:32] paul at castlecops dot com
@tony2001:
Nir should have a copy I emailed him. Please let me know your email so
I can send a copy immediately.
------------------------------------------------------------------------
[2006-05-16 21:32:41] paul at castlecops dot com
I have discussed this issue with Nir Yariv and [EMAIL PROTECTED] from Zend and
was asked to open a report. Further information can be obtained from
them including the JPG poc. Firewall companies and ISPs are already
denying this JPG poc transmission across its networks.
I repeat: exif functions are not required, nor is exif required to be
compiled into PHP. It can be entirely disabled. getimagesize()
doesn't flag this file as false because it is a valid JPEG. The Exif
header in it are also valid.
PHP should not permit itself to process PHP payloads inside JPEGs (or
TIFFs for that matter as these both allow Exif).
The original article that had something to do with this is found at
techworld:
www.techworld.com/security/news/index.cfm?NewsID=3514
A followup POC is also available here:
retrogod.altervista.org/phpbb_2020_admin_xpl.html
------------------------------------------------------------------------
[2006-05-16 21:29:35] [EMAIL PROTECTED]
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves.
A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external
resources such as databases, etc.
If possible, make the script source available online and provide
an URL to it here. Try to avoid embedding huge scripts into the report.
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/37467
--
Edit this bug report at http://bugs.php.net/?id=37467&edit=1
