ID: 37467
User updated by: paul at castlecops dot com
Reported By: paul at castlecops dot com
Status: Bogus
Bug Type: EXIF related
Operating System: Linux
PHP Version: 4.4.2
New Comment:
May I also add, "my code" isn't affected. Several PHP web based
applications (for forums, galleries, wiki, etc) are affected by this.
I have made contact with these vendors and some have reported it isn't
their problem but PHP's. If you aren't going to fix the processing of
PHP code inside JPEGs...
Previous Comments:
------------------------------------------------------------------------
[2006-05-16 22:01:14] paul at castlecops dot com
"Fix your code"?
You have got to be joking. The PHP code inside the jpg I sent you is a
"PROOF OF CONCEPT". PHP executes the code within this JPG and _creates_
a file on the filesystem. Hackers are going to love this as a foothold
to gain entry to a machine.
How is this not a PHP issue?
Also I have resent to you a link to the raw jpg. Please grab it so I
can remove it.
------------------------------------------------------------------------
[2006-05-16 21:57:24] [EMAIL PROTECTED]
I don't have the image because of this:
unzip 128jpeg.zip
Archive: 128jpeg.zip
skipping: 1287789650446751fbaed81.jpg unsupported compression
method 99
But anyway this is bogus, since the file contains VALID PHP code and
PHP has no reasons not to execute it if it was include()'d. Fix your
code.
------------------------------------------------------------------------
[2006-05-16 21:50:06] paul at castlecops dot com
@pajoe: "Paul, we do not know Nir neither Poc. We are php.net, not
Zend."
"Poc" is proof of concept. I suspect you meant Nora? Tony should now
have the jpg poc. Open it in notepad to see the PHP code. If you read
the exif headers, this is what you'll see:
FILE.FileName: phpJ4OyEi
FILE.FileDateTime: 1147625054
FILE.FileSize: 552
FILE.FileType: 2
FILE.MimeType: image/jpeg
FILE.SectionsFound: COMMENT
COMPUTED.html: width="1" height="1"
COMPUTED.Height: 1
COMPUTED.Width: 1
COMPUTED.IsColor: 1
COMMENT.0: "); fclose($fp); chmod("suntzu.php",777); ?>
------------------------------------------------------------------------
[2006-05-16 21:48:21] paul at castlecops dot com
Tony I have sent you the jpg poc just now. I can post the PHP code
that generates the JPG, but that is 76 lines. The bulk of that code
which generates this payload jpg uses chr().
------------------------------------------------------------------------
[2006-05-16 21:43:14] [EMAIL PROTECTED]
Please provide short and complete reproduce script.
20Kb exploits, which are actually exploits for some particular
application, not PHP itself, aren't really useful and do not prove
anything.
>Nir should have a copy I emailed him. Please let me know
>your email so I can send a copy immediately.
My email is [EMAIL PROTECTED]
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/37467
--
Edit this bug report at http://bugs.php.net/?id=37467&edit=1
