On Thu, 2013-09-19 at 16:14 +0200, Arno Kuhl wrote:

> Arno: If you can request that file using a web browser, and it gets executed
> as PHP on your server then there is an error in the Apache configuration.
> Easy test: create a file in a text editor containing some PHP (<?php
> phpinfo(); ?> would be enough) and upload it to the www root of your site
> and name it test.pgif. Then hit http://www.yourdomain.com/test.pgif in your
> browser. If you see the PHP code or an error then you're fine. If you see
> PHP's info page then you need to change web host as quickly as possible. I
> don't care if they fix it - the fact their server was configured to do this
> by default is enough for me to never trust them again.
> -Stuart
> --
> Thanks Stuart. I just tried it now, test.php.pgif displayed the info while
> test.xyz.pgif returned the content, confirming the problem. My service
> provider finally conceded the problem is on their side and are looking for
> an urgent fix, much too complicated to consider moving service providers in
> the short term.
> As a side note, the sp said the issue is new and coincided with an upgrade
> to fastcgi recently, I wonder if the hacker was exploiting a known issue
> with that scenario?
> Cheers
> Arno

I think most importantly, validate your input!

If you're expecting an image, check to make sure it's an image. Use the
imagecopyresampled() function that's part of GD to create a duplicate of
the exact same size to ensure that it's both an image and not containing
a hidden payload (which has happened to JPEG images before)

If it's a file of another type, use a different appropriate method to
validate that. DOMDocument will deal with XML and HTML documents, you
can use zip functions to inspect Office documents (the newer types at
least), FPDF to handle PDF files, etc.

By only checking the extension you're relying on user-supplied data,
which by definition is tainted.


Reply via email to