ID: 37467
Updated by: [EMAIL PROTECTED]
Reported By: paul at castlecops dot com
Status: Bogus
Bug Type: EXIF related
Operating System: Linux
PHP Version: 4.4.2
New Comment:
Try this:
Create a "file.<some undefined extension>", put in there:
----
blah<?php phpinfo(); ?>
----
include() it from some another PHP script.
Name me at least one reason why this file is not valid and should not
be executed. Binary data? Well, Unicode data is not ASCII also. .jpg
extension? Since when PHP checks the extension? Or do you think .inc is
not a valid extension?
The code is perfectly valid and PHP does what it used to do: executes
it.
It's your fault that your application executes data from user input,
not PHP.
Hence bogus.
Previous Comments:
------------------------------------------------------------------------
[2006-05-16 22:05:32] paul at castlecops dot com
And one more afterthought:
"since the file contains VALID PHP code and PHP
has no reasons not to execute it if it was include()'d."
That's just it. A JPEG is an image, not an executable PHP page. PHP
pages are typically "html" or "php", and not JPEG. A hacker would work
on uploading the JPEG to a server and then thru nefarious means try to
get that servers PHP to execute the JPEG which would lead to
compromise.
JPEGs are images, not PHP payloads.
------------------------------------------------------------------------
[2006-05-16 22:02:28] paul at castlecops dot com
May I also add, "my code" isn't affected. Several PHP web based
applications (for forums, galleries, wiki, etc) are affected by this.
I have made contact with these vendors and some have reported it isn't
their problem but PHP's. If you aren't going to fix the processing of
PHP code inside JPEGs...
------------------------------------------------------------------------
[2006-05-16 22:01:14] paul at castlecops dot com
"Fix your code"?
You have got to be joking. The PHP code inside the jpg I sent you is a
"PROOF OF CONCEPT". PHP executes the code within this JPG and _creates_
a file on the filesystem. Hackers are going to love this as a foothold
to gain entry to a machine.
How is this not a PHP issue?
Also I have resent to you a link to the raw jpg. Please grab it so I
can remove it.
------------------------------------------------------------------------
[2006-05-16 21:57:24] [EMAIL PROTECTED]
I don't have the image because of this:
unzip 128jpeg.zip
Archive: 128jpeg.zip
skipping: 1287789650446751fbaed81.jpg unsupported compression
method 99
But anyway this is bogus, since the file contains VALID PHP code and
PHP has no reasons not to execute it if it was include()'d. Fix your
code.
------------------------------------------------------------------------
[2006-05-16 21:50:06] paul at castlecops dot com
@pajoe: "Paul, we do not know Nir neither Poc. We are php.net, not
Zend."
"Poc" is proof of concept. I suspect you meant Nora? Tony should now
have the jpg poc. Open it in notepad to see the PHP code. If you read
the exif headers, this is what you'll see:
FILE.FileName: phpJ4OyEi
FILE.FileDateTime: 1147625054
FILE.FileSize: 552
FILE.FileType: 2
FILE.MimeType: image/jpeg
FILE.SectionsFound: COMMENT
COMPUTED.html: width="1" height="1"
COMPUTED.Height: 1
COMPUTED.Width: 1
COMPUTED.IsColor: 1
COMMENT.0: "); fclose($fp); chmod("suntzu.php",777); ?>
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/37467
--
Edit this bug report at http://bugs.php.net/?id=37467&edit=1
