Archive

Archive for April, 2009

PHP Upload Security & The 1×1 jpeg Hack

April 4th, 2009 5 comments
Far too often, I’ve seen example PHP code, or live PHP code, where file upload checks exclusively using
$_FILES['userfile']['type'] == ‘image/jpeg’
or
getimagesize($filename)
or
strpos(‘.jpg’, $_FILES['userfile']['name'] or strstr(‘jpg’, $_FILES['userfile']['name']
followed by something like
move_uploaded_file($_FILES['userfile']['tmpname'], PUBLIC_WEB_UPLOAD_DIR.$_FILES['userfile']['name']);
All of these methods leave the server completely vulnerable to remote script uploading and execution with the 1×1 jpeg hack.
 

How this can be exploited
To execute the 1×1 jpeg hack on a PHP server:
Create a 1×1 jpeg
Put the PHP code you want executed on the server in the embedded jpeg header, surrounded by tags
Name your file some_random_name.jpg.php
Tell your browser/os that a .php file is of type image/jpeg.
Upload the file
When that file is uploaded your file against a server that uses the above method(s) as a “security” check to prevent remote file upload & execution it will pass all checks, and will be executed whenever that file is requested by a client browser, whether it’s a direct request in the browser address or an embedded request in a <img> tag.

Categories: PHP Security