Possible widespread PHP configuration issue - security risk

Ed W lists at wildgooses.com
Sat Aug 28 14:34:10 MSD 2010

  On 27/08/2010 16:45, Jim Ohlstein wrote:
> On 8/27/10 11:22 AM, Ed W wrote:
>> Create a test file test.jpg as follows:
>> # echo -e "\xff\xd8\xff\xe0\n<?php echo 'hello'; ?>" > test.jpg
>> # file test.jpg
>> test.jpg: JPEG image data
>> Now try and upload this test.jpg file to your server. If it succeeds
>> then probably turn off the server until you fix the issue...
> It doesn't work on the apps I mentioned. It simply won't upload.

The apps you mentioned were vBulletin and IPB.  I have done a little 
more research on this and I believe I can smuggle in the PHP using  jpeg 
comments.  The resulting file should pass all tests as a valid JPG, but 
still be executable to the PHP interpreter...

The point is: my expectation is that with a bit of wriggling it should 
be possible to find something which should get past your image upload 
checks, but your PHP interpreter will still happily process it.  If your 
server is misconfigured to allow accidental execution of such files then 
I think you have a gaping hole in your security...  Bottom line is to 
*completely disable* execution of all untrusted files (variety of ways 
to do that of course)

Personally I don't believe in trusting *only* to the upload filtering to 
secure a web application.  There is simply too much subtlety here that a 
well crafted file should eventually be able to bypass...

Ed W

More information about the nginx mailing list