Full Disclosure mailing list archives
Re: Php gif upload thumbnail creation remote exploit
From: Владимир Воронцов <vladimir.vorontsov () onsec ru>
Date: Sun, 19 Jun 2011 14:16:26 +0400
http://ax330d.blogspot.com/2011/06/mosaic-of-attacks-from-image-upload.html?showComment=1308462489303#c952957474393688505 On Sun, 19 Jun 2011 02:58:16 +0200, "HI-TECH ." <isowarez.isowarez.isowarez () googlemail com> wrote:
This technique describes how to exploit apps which encode pictures
during a
Php upload. Embedding Php code inside gif files which are uploaded is a known technique to execute arbitrary code on a Apache Php installation.
Now
what can one do when the code which uploads the file processes and
encodes
the file to a thumbnail and only this thumbnail is accessible remotely
with
the correct extension? The gif file is crunshed and the embedded Php
code
disappears, bad situation you might think. The solution is to zero out
all
size fields of the gif file using a hex editor. The result after the
upload
is that the encoding routine processes the file without modifying it because of size checks. The Php code stays embedded in the file. -kc
-- Best regards, Vladimir Vorontsov ONsec security expert _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Php gif upload thumbnail creation remote exploit HI-TECH . (Jun 18)
- Re: Php gif upload thumbnail creation remote exploit Владимир Воронцов (Jun 19)
- Re: Php gif upload thumbnail creation remote exploit HI-TECH . (Jun 19)
- Re: Php gif upload thumbnail creation remote exploit Moritz Naumann (Jun 19)
- Re: Php gif upload thumbnail creation remote exploit HI-TECH . (Jun 20)
- Re: Php gif upload thumbnail creation remote exploit HI-TECH . (Jun 19)
- Re: Php gif upload thumbnail creation remote exploit Владимир Воронцов (Jun 19)