On 23-09-2012 21:30, admin wrote:
Jpgs can hold other data rather than image data
One thing to try is to run strip_tags($image) to remove any php code



I understand the principle behind
include('pages/' . $_GET['page'] . '.php');

Which I find ridiculous if anyone did that.
I am not sure how he was calling the image to be sure. I watched him upload
the image and then
Do what looked like a normal echo UPLOADED_IMAGES.$_FILE["name"]; You seen
phpinfo() called but it was not in the script rather in the image.

He opened the test.jpg in a text editor and sure enough there was <?php
phpinfo(); ?> in the code of the jpeg.

This bothers me because I am not sure what all he did. He was proving PHP is
not a safe language in front of a rather large group or people in the
I could only look on in disbelief that it just happened in front of me.

Everything inside of me wants to say he was doing something outside of what
I consider normal circumstances.
My question is this:
If someone uploads a image through a form or whatever and they have embedded
a code in can that code inside the image be executed by viewing the file?

The answer to this is both yes and no. It all depends on:
a) what you do with the file
b) how your webserver is set up / configured

PHP scripts are executed using the PHP interpreter. This means, that for a PHP script to be executed, the server needs to:
1. assume the requested file is a PHP script
2. run the PHP interpreter, and provide it the requested file
3. return the output from the PHP interpreter

Most sane servers, when they get a request for a .jpg file, do not assume it's a PHP script, and simply return the raw image, which might include PHP script, but which will never be run by any sane person.

Some servers however, are configured to run everything through the PHP interpreter, before returning its output. In this case: yes, bad stuff will happen.

Alternatively, it's possible to run code in files from within other files. An example of this was given above, where you showed that including a file containing PHP code will execute that code. Regardless of what the file is exactly.

In practice I must admit I have very rarely seen this exploit in action, since most proper servers and scripts are configured / coded by sane enough people for this not to be possible. Unfortunately, if you come across a novice coder, (s)he might use the include 'someImage.jpg' technique to return images, instead of echo file_get_contents('someImage.jpg'), which under these circumstances is a much safer way of doing the same thing.

- Tul

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to