|
Full Disclosure
mailing list archives
Re: Php gif upload thumbnail creation remote exploit
From: Владимир Воронцов <vladimir.vorontsov () onsec ru>
Date: Sun, 19 Jun 2011 14:16:26 +0400
http://ax330d.blogspot.com/2011/06/mosaic-of-attacks-from-image-upload.html?showComment=1308462489303#c952957474393688505
On Sun, 19 Jun 2011 02:58:16 +0200, "HI-TECH ."
<isowarez.isowarez.isowarez () googlemail com> wrote:
This technique describes how to exploit apps which encode pictures
during a
Php upload. Embedding Php code inside gif files which are uploaded is a
known technique to execute arbitrary code on a Apache Php installation.
Now
what can one do when the code which uploads the file processes and
encodes
the file to a thumbnail and only this thumbnail is accessible remotely
with
the correct extension? The gif file is crunshed and the embedded Php
code
disappears, bad situation you might think. The solution is to zero out
all
size fields of the gif file using a hex editor. The result after the
upload
is that the encoding routine processes the file without modifying it
because
of size checks. The Php code stays embedded in the file. -kc
--
Best regards,
Vladimir Vorontsov
ONsec security expert
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
 By Date 
By Thread
Current thread:
| 
