onion2k wrote:kaisellgren wrote:One can easily make a file "image.gif" and insert malicious PHP code inside color pallettes, or comments block, or possibly somewhere else. When you run tests with GD (like getimagesize()) they will work fine, because it does not check the colors -- who says the colors can not be <?php ... ?>
And when the PHP parser runs the "image.gif" it ignores the binary data and executes the PHP code.
Why would you put image.gif through PHP's parser? That seems like a very strange thing to do. Strange, and pointless because any proper image isn't going to contain any code.
As security concerns go, I'd say that's quite low priority.
As security concerns go, it is
not low priority.
For example, many people use dynamically generated avatars in forums. They assign Apache to parse .png/.gif through PHP. This is very common. And this is just one case, many graphics related scripts may alter the way of images used on the server. I know personally three persons having their website hacked by running other than .php files through PHP.
Security is not a measurement. It's also possible through buffer overflows to run image data on PHP. If that image data is gathered from an uploaded image file, then you have
yet another security hole in your application.
Also, you may not forget a thing called
Defense in Depth. Are you really sure you want to take the route that relies on the current system configurations, current software configurations, etc and when the time comes that you or your server admin (may it be you or someone else) alters any configurations by editing configs or by updating software -- will you remember to update your script to 'match' your server configuration? What about the users of your script? You are very vulnerable to chain attacks.
So as security concerns go, you can not trust image files. You just can not, unless you do run many different image related manipulation functions on the image.