> Jpgs can hold other data rather than image data
> One thing to try is to run strip_tags($image) to remove any php code
>
http://stackoverflow.com/questions/3499173/my-php-site-was-hacked-by-codes-u
ploaded-as-image
> http://josephkeeler.com/2009/04/php-upload-security-the-1x1-jpeg-hack/
>
> Bastien
I understand the principle behind
include('pages/' . $_GET['page'] . '.php');
http://www.mysite.com/index.php?page=../upload/image.jpg?cmd=somecode%00
Which I find ridiculous if anyone did that.
I am not sure how he was calling the image to be sure. I watched him upload
the image and then
Do what looked like a normal echo UPLOADED_IMAGES.$_FILE["name"]; You seen
phpinfo() called but it was not in the script rather in the image.
He opened the test.jpg in a text editor and sure enough there was <?php
phpinfo(); ?> in the code of the jpeg.
This bothers me because I am not sure what all he did. He was proving PHP is
not a safe language in front of a rather large group or people in the
meeting.
I could only look on in disbelief that it just happened in front of me.
Everything inside of me wants to say he was doing something outside of what
I consider normal circumstances.
My question is this:
If someone uploads a image through a form or whatever and they have embedded
a code in can that code inside the image be executed by viewing the file?
$image = 'uploaded.jpg';
Echo "<IMG SRC='".$image."'>";
Read this:
http://php.webtutor.pl/en/2011/05/13/php-code-injection-a-simple-virus-writt
en-in-php-and-carried-in-a-jpeg-image/
That was written a couple months ago.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
