ansaurus

Question

How is a website hacked by a "maliciously encoded image that contained a PHP script hidden inside it"?

Answer 1

+1 A:

The only possibility I see for a server compromise is the image being included instead of read through e.g. readfile and other stream functions.

Artefacto 2010-08-30 00:05:49

You are right, but maybe I'm missing something, why would anyone `include` an image? Maybe some poor PHP based cache control that instead of `echo readfile($file)` after custom headers it just `include`s.

alex 2010-08-30 00:08:39

@alex I don't know why someone would do that, but I've seen it on SO.

Artefacto 2010-08-30 00:14:18

Yeah, I've seen this kind of mistake, too, in production code. That's as bad as it can get.

VolkerK 2010-08-30 00:33:30

Answer 2

+2 A:

Your server is parsing that file for w/e reason. The attackers are putting the PHP into the image comment.

How are you validating the file is an image? If you do it solely on mime type, then I believe they can fake the image header and include whatever they want after that. VolkerK has a practical example

In the perfect world, I wouldn't serve any public facing images via PHP for fear of such an issue.

Serve the image directly using the server; A good suggestion is to save those images to a directory where they can be served without PHP.

I think that's the gist of it, someone correct me if I'm wrong.

The Pixel Developer 2010-08-30 00:09:42

How does one add code to an image via the comments? I'm interested in making an image to test some of my other sites.

alex 2010-08-30 00:12:56

So basically, you're saying the same as me, right? The image gets included. How else would the server execute it?

Artefacto 2010-08-30 00:13:58

Any standard image editor will be able to do it. Here's how you add a comment in GIMP: http://img192.imageshack.us/img192/4104/createanewimage001.png

The Pixel Developer 2010-08-30 00:14:47

@The The point is not how you're able to embed the PHP code. It's why is the server executing it.

Artefacto 2010-08-30 00:21:14

I expanded on my answer.

The Pixel Developer 2010-08-30 00:21:46

see http://secunia.com/advisories/37475/ : "The vulnerability is caused due to the banner-edit.php script allowing the upload of files with arbitrary extensions to a folder inside the webroot."

VolkerK 2010-08-30 00:32:17

It might be even worthwhile to load the image data via imagegif() or similar and then save _that_ file with a fixed filename extension, though it puts considerably more strain on the server.

VolkerK 2010-08-30 00:39:06

Answer 3

+6 A:

It can be as simple as uploading a file like

GIF89a<?php
echo 'hi';

If your upload script tests the content type via fileinfo or mime_content_type() it is recognized as "GIF image data, version 89a" since GIF89a is the only pattern/magic number that is required to identify a file as gif.
And the OpenX upload script apparently kept the proposed filename, i.e. it was possible to save this "image" as foo.php on the server. Now, if you requested that file via http://hostname/uploaddir/foo.php the script was executed as a php script because webservers usually/often determine the content type only by the filename extension, e.g. via

<FilesMatch "\.php$">
    SetHandler application/x-httpd-php
</FilesMatch>

php then echoes the leading GIF89a and executes the <?php ...code... block.
Putting the <?php block into a gif comment is slightly more sophisticated but basically the same thing.

VolkerK 2010-08-30 00:18:43

OK, this is more likely.

Artefacto 2010-08-30 00:22:33

see http://secunia.com/advisories/37475/ : "The vulnerability is caused due to the banner-edit.php script allowing the upload of files with arbitrary extensions to a folder inside the webroot."

VolkerK 2010-08-30 00:31:24

+1 Very useful information, thanks VolkerK!

alex 2010-08-30 00:36:28

ansaurus

tags:

views:

answers:

How is a website hacked by a "maliciously encoded image that contained a PHP script hidden inside it"?

related questions