ID: 37467
User updated by: paul at castlecops dot com
Reported By: paul at castlecops dot com
Status: Open
Bug Type: EXIF related
Operating System: Linux
PHP Version: 4.4.2
New Comment:
@pajoe: "Paul, we do not know Nir neither Poc. We are php.net, not
Zend."
"Poc" is proof of concept. I suspect you meant Nora? Tony should now
have the jpg poc. Open it in notepad to see the PHP code. If you read
the exif headers, this is what you'll see:
FILE.FileName: phpJ4OyEi
FILE.FileDateTime: 1147625054
FILE.FileSize: 552
FILE.FileType: 2
FILE.MimeType: image/jpeg
FILE.SectionsFound: COMMENT
COMPUTED.html: width="1" height="1"
COMPUTED.Height: 1
COMPUTED.Width: 1
COMPUTED.IsColor: 1
COMMENT.0: "); fclose($fp); chmod("suntzu.php",777); ?>
Previous Comments:
------------------------------------------------------------------------
[2006-05-16 21:48:21] paul at castlecops dot com
Tony I have sent you the jpg poc just now. I can post the PHP code
that generates the JPG, but that is 76 lines. The bulk of that code
which generates this payload jpg uses chr().
------------------------------------------------------------------------
[2006-05-16 21:43:14] [EMAIL PROTECTED]
Please provide short and complete reproduce script.
20Kb exploits, which are actually exploits for some particular
application, not PHP itself, aren't really useful and do not prove
anything.
>Nir should have a copy I emailed him. Please let me know
>your email so I can send a copy immediately.
My email is [EMAIL PROTECTED]
------------------------------------------------------------------------
[2006-05-16 21:43:11] [EMAIL PROTECTED]
Paul, we do not know Nir neither Poc. We are php.net, not Zend.
Now, if you want us to help you to fix this problem, we need:
- a short PHP script to reproduce your problem (using only
the image and exif functions)
- a set of images
Please reopen this bug only if you provide these two things. If you
can't provide them, leave it bogus and ask Nir to explain you what we
need. Thank you.
------------------------------------------------------------------------
[2006-05-16 21:34:32] paul at castlecops dot com
@tony2001:
Nir should have a copy I emailed him. Please let me know your email so
I can send a copy immediately.
------------------------------------------------------------------------
[2006-05-16 21:32:41] paul at castlecops dot com
I have discussed this issue with Nir Yariv and [EMAIL PROTECTED] from Zend and
was asked to open a report. Further information can be obtained from
them including the JPG poc. Firewall companies and ISPs are already
denying this JPG poc transmission across its networks.
I repeat: exif functions are not required, nor is exif required to be
compiled into PHP. It can be entirely disabled. getimagesize()
doesn't flag this file as false because it is a valid JPEG. The Exif
header in it are also valid.
PHP should not permit itself to process PHP payloads inside JPEGs (or
TIFFs for that matter as these both allow Exif).
The original article that had something to do with this is found at
techworld:
www.techworld.com/security/news/index.cfm?NewsID=3514
A followup POC is also available here:
retrogod.altervista.org/phpbb_2020_admin_xpl.html
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/37467
--
Edit this bug report at http://bugs.php.net/?id=37467&edit=1
