[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Php gif upload thumbnail creation remote exploit

To: "full-disclosure@xxxxxxxxxxxxxxxxx" <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: [Full-disclosure] Php gif upload thumbnail creation remote exploit
From: "HI-TECH ." <isowarez.isowarez.isowarez@xxxxxxxxxxxxxx>
Date: Sun, 19 Jun 2011 02:58:16 +0200

This technique describes how to exploit apps which encode pictures during a
Php upload. Embedding Php code inside gif files which are uploaded is a
known technique to execute arbitrary code on a Apache Php installation. Now
what can one do when the code which uploads the file processes and encodes
the file to a thumbnail and only this thumbnail is accessible remotely with
the correct extension? The gif file is crunshed and the embedded Php code
disappears, bad situation you might think. The solution is to zero out all
size fields of the gif file using a hex editor. The result after the upload
is that the encoding routine processes the file without modifying it because
of size checks. The Php code stays embedded in the file. -kc

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] Php gif upload thumbnail creation remote exploit
  - From: Владимир Воронцов

Prev by Date: [Full-disclosure] Typo3 extensions Remote exploit to be released soon
Next by Date: Re: [Full-disclosure] Php gif upload thumbnail creation remote exploit
Previous by thread: [Full-disclosure] Typo3 extensions Remote exploit to be released soon
Next by thread: Re: [Full-disclosure] Php gif upload thumbnail creation remote exploit
Index(es):
- Date
- Thread