Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Can a GIF/JPEG file contain runnable PHP code?

Tags:

security

php

gif

Testing a web application, I can upload GIF/JPEG files and I know there is a possible threat when including PHP Code properly in that GIF/Jpeg (because it is modified using imagecreatetruecolor and imagejpeg).

I was looking for an existing GIF file containing a simple PHP code (like phpinfo or echo 'hello world') just to validate that the threat was concrete.

What would be perfect is a specifically crafted GIF image containing PHP code in the middle OR in the palette color, but I was unsuccessful to find one.

like image 877
Cyril N. Avatar asked Nov 06 '12 11:11

Cyril N.


1 Answers

I'll answer myself for the jpg link file containing PHP code execution, but if someone else provide a more complete answer, I'll offer the accepted check ;)

Here's a link to a "compromised" JPEG file containing PHP exploit code (phpinfo)

(don't worry, the file won't do anything to you)

Moreover, it's important to notice that even if you succeed into uploading a gif file containing php code, if that gif file is read as gif (and not executed as php, via include/require, or a badly configured server), it won't do anything, just have php code on your server, useless.

So in order for this attack to work, you need to have two conditions :

  1. The website must use a fileupload at some point that you can access
  2. The files stored must be executed via PHP, even the image files (in that case).

Although the 1. is quite easy to have, the second is near impossible nowadays. The default configuration for PHP is to run the PHP interpreter only for .php files, either using NGinx, Apache, Lighttpd, etc.

In conclusion, this vector of attack is really low in probability of success.

like image 157
Cyril N. Avatar answered Sep 19 '22 10:09

Cyril N.