PHP Image Exploit

 
Post new topic   Reply to topic    Aprelium Forum Index -> General Questions
View previous topic :: View next topic  
Author Message
Turtles
-


Joined: 03 Aug 2010
Posts: 44

PostPosted: Sat Mar 23, 2013 6:34 pm    Post subject: PHP Image Exploit Reply with quote

Is AWS secured not to execute PHP code found in images (this exploit) ?
Back to top View user's profile Send private message
TRUSTAbyss
-


Joined: 29 Oct 2003
Posts: 3752
Location: USA, GA

PostPosted: Sun Mar 24, 2013 10:16 pm    Post subject: Reply with quote

Hi Turtles,

This security exploit isn't really an exploit at all and has nothing to do with Abyss Web Server. It's a validation issue that some developers forget to check before deploying their code into production. A simple regular expression can prevent the imagename.gif.php exploit (e.g. \.gif$) from being uploaded to the server via the upload form. See how important form validation is? ;)

Respectfully,

Joshua H. (TRUSTAbyss).
Back to top View user's profile Send private message Visit poster's website
Toasty
-


Joined: 21 Feb 2008
Posts: 298
Location: Chicago, IL

PostPosted: Thu Mar 28, 2013 3:48 pm    Post subject: Reply with quote

Rather, I'd drop all file extensions that have any PHP executable extensions on them (typically just .php, but some people do .php3, even .html. People who want to think they're security gurus but are actually just stupid sometimes try to confuse the end user by making the extensions .asp, .java, .cf, and so on run through PHP. Whatever the case, filter them all).

Additionally, make your your server has short_tags off and asp_tags off and do a str_ireplace on the submitted image to replace <?PHP, <?=. This may break a very rare image, but most of the time will help lock down any issues you may have.
_________________
Audit the secure configuration of your server headers!
Back to top View user's profile Send private message Visit poster's website
aprelium-support
-


Joined: 20 Feb 2009
Posts: 356

PostPosted: Wed May 22, 2013 3:59 pm    Post subject: Re: PHP Image Exploit Reply with quote

Turtles wrote:
Is AWS secured not to execute PHP code found in images (this exploit) ?


They call it exploit. We call it bad programming practices and a badly configured script.

Scripts shouldn't allow files to be uploaded inside their directory. That's the first issue which isn't PHP specific.

Second, you cannot accept input from the user without any validation.

No Web server can prevent a script kiddie from writing and executing insecure PHP.
_________________
Support Team
Aprelium - http://www.aprelium.com
Back to top View user's profile Send private message Visit poster's website
JulieReeves45
-


Joined: 15 Aug 2013
Posts: 1

PostPosted: Thu Aug 15, 2013 5:24 am    Post subject: Reply with quote

Good warning. I always load and resample uploaded images in GD before saving them, so I guess my apps are safe
Back to top View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Aprelium Forum Index -> General Questions All times are GMT + 1 Hour
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB phpBB Group