View previous topic :: View next topic |
Author |
Message |
Turtles -
Joined: 03 Aug 2010 Posts: 44
|
Posted: Sat Mar 23, 2013 6:34 pm Post subject: PHP Image Exploit |
|
|
Is AWS secured not to execute PHP code found in images (this exploit) ? |
|
Back to top |
|
|
TRUSTAbyss -
Joined: 29 Oct 2003 Posts: 3752 Location: USA, GA
|
Posted: Sun Mar 24, 2013 10:16 pm Post subject: |
|
|
Hi Turtles,
This security exploit isn't really an exploit at all and has nothing to do with Abyss Web Server. It's a validation issue that some developers forget to check before deploying their code into production. A simple regular expression can prevent the imagename.gif.php exploit (e.g. \.gif$) from being uploaded to the server via the upload form. See how important form validation is? ;)
Respectfully,
Joshua H. (TRUSTAbyss). |
|
Back to top |
|
|
Toasty -
Joined: 21 Feb 2008 Posts: 298 Location: Chicago, IL
|
Posted: Thu Mar 28, 2013 3:48 pm Post subject: |
|
|
Rather, I'd drop all file extensions that have any PHP executable extensions on them (typically just .php, but some people do .php3, even .html. People who want to think they're security gurus but are actually just stupid sometimes try to confuse the end user by making the extensions .asp, .java, .cf, and so on run through PHP. Whatever the case, filter them all).
Additionally, make your your server has short_tags off and asp_tags off and do a str_ireplace on the submitted image to replace <?PHP, <?=. This may break a very rare image, but most of the time will help lock down any issues you may have. _________________ Audit the secure configuration of your server headers! |
|
Back to top |
|
|
aprelium-support -
Joined: 20 Feb 2009 Posts: 356
|
Posted: Wed May 22, 2013 3:59 pm Post subject: Re: PHP Image Exploit |
|
|
Turtles wrote: | Is AWS secured not to execute PHP code found in images (this exploit) ? |
They call it exploit. We call it bad programming practices and a badly configured script.
Scripts shouldn't allow files to be uploaded inside their directory. That's the first issue which isn't PHP specific.
Second, you cannot accept input from the user without any validation.
No Web server can prevent a script kiddie from writing and executing insecure PHP. _________________ Support Team
Aprelium - http://www.aprelium.com |
|
Back to top |
|
|
JulieReeves45 -
Joined: 15 Aug 2013 Posts: 1
|
Posted: Thu Aug 15, 2013 5:24 am Post subject: |
|
|
Good warning. I always load and resample uploaded images in GD before saving them, so I guess my apps are safe |
|
Back to top |
|
|
|