PHP Classes

PHP Tutorials, PHP Security

Recommend this page to a friend!

      PHP Classes blog  >  PHP security exploit ...  >  All threads  >  PHP Tutorials, PHP Security  >  (Un) Subscribe thread alerts  
Subject:PHP Tutorials, PHP Security
Summary:PHP Application Development
Date:2014-05-12 11:46:53
Update:2014-05-12 20:37:33

  1. PHP Tutorials, PHP Security   Reply   Report abuse  
Picture of abigailscotty abigailscotty - 2014-05-12 18:13:52
I guess.. all security exploits only affect sites that use poorly written code. This is why it is necessary to alert people that write poorly written code. If this does not affect your sites, good. Otherwise, you may want to pay more attention to the techniques attackers may use.

For instance, relying on the MIME type sent by the browser for an uploaded file is not a reliable way to protect yourself, because that information comes from the browser and the attacker may spoof the content type.

Even if you check the uploaded file extension, you may still be subject of the exploit. It depends on how you serve the uploaded files. As explained in the article, if you use include/require to serve uploaded GIF files, you may be triggering the execution malicious PHP code embedded in the GIF files.

This may sound silly, but some developers use include and require to serve files that are not PHP scripts.

Anyway, this exploit is not exactly old news. What is new is that it was discovered that is possible to craft a perfectly valid GIF file that embeds PHP code in the palette section of the image file.

Since the image is valid, the PHP getimagesize will succeed. Many sites use getimagesize as the sole method to discard insecure files that are expected to be images. Alerting for this fact is the purpose of warning for this exploit possibility, as it was already used attack some PHP sites.

James D. ...

  2. Re: PHP Tutorials, PHP Security   Reply   Report abuse  
Picture of Manuel Lemos Manuel Lemos - 2014-05-12 20:37:33 - In reply to message 1 from abigailscotty
Exactly, unfortunately there are less experienced developers that confuse the purposes of PHP functions and use include or require where they should use readfile or similar functions that are meant just to read data, not PHP code.