News Feed
Sections




News Archive
Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

PHPClasses.org:
PHP security exploit with GIF images
June 20, 2007 @ 12:57:00

On the PHPClasses site today, there's a new post that points out an issue that could happen with dyanamic GIF creation in a PHP script leading to a security exploit.

Manuel Lemos writes:

The problem that was discovered is that you can insert PHP code in the middle of a GIF image. That would not be a problem if it was not for the insecure ways some developers use to serve images upload by their users. Usually, uploaded files are moved to a given directory. If the site then serves the images directly from that directory and preserve the original file name, the site may be open for security exploits.

The problem comes when a user decides to upload an "image" file that's actually a PHP script (ending in PHP even) to the remote system. When this is outputted, it's placed inside the image tag and executed with each page load. Manuel offers a suggestion to prevent the issue - protecting the images directory and using readfile to grab the contents of the file to output rather than just a straight echo.

2 comments voice your opinion now!
security exploit image gif dynamic readfile output security exploit image gif dynamic readfile output


blog comments powered by Disqus

Similar Posts

Secunia.com: Red Hat Update for PHP

Zend Developer Zone: Security Tips #17 & #18 (When to Secure & File Uploads)

Brandon Savage's Blog: FIEO: Filtering Input with PHP's Filter Functions

Ilia Alshanetsky\'s Blog: php|tek 2006

Stanislav Malyshev: unserialize() and being practical


Community Events

Don't see your event here?
Let us know!


version wordpress api release podcast voicesoftheelephpant opinion framework series community unittest interview language library extension php7 list laravel introduction laravel5

All content copyright, 2015 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework