[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Php gif upload thumbnail creation remote exploit
- To: "HI-TECH ." <isowarez.isowarez.isowarez@xxxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] Php gif upload thumbnail creation remote exploit
- From: Владимир Воронцов <vladimir.vorontsov@xxxxxxxx>
- Date: Sun, 19 Jun 2011 14:16:26 +0400
http://ax330d.blogspot.com/2011/06/mosaic-of-attacks-from-image-upload.html?showComment=1308462489303#c952957474393688505
On Sun, 19 Jun 2011 02:58:16 +0200, "HI-TECH ."
<isowarez.isowarez.isowarez@xxxxxxxxxxxxxx> wrote:
> This technique describes how to exploit apps which encode pictures
during a
> Php upload. Embedding Php code inside gif files which are uploaded is a
> known technique to execute arbitrary code on a Apache Php installation.
Now
> what can one do when the code which uploads the file processes and
encodes
> the file to a thumbnail and only this thumbnail is accessible remotely
with
> the correct extension? The gif file is crunshed and the embedded Php
code
> disappears, bad situation you might think. The solution is to zero out
all
> size fields of the gif file using a hex editor. The result after the
upload
> is that the encoding routine processes the file without modifying it
> because
> of size checks. The Php code stays embedded in the file. -kc
--
Best regards,
Vladimir Vorontsov
ONsec security expert
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/