Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:60477
Return-Path: <tyra3l@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 71104 invoked from network); 5 May 2012 17:58:13 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 5 May 2012 17:58:13 -0000
Authentication-Results: pb1.pair.com smtp.mail=tyra3l@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=tyra3l@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.220.170 as permitted sender)
X-PHP-List-Original-Sender: tyra3l@gmail.com
X-Host-Fingerprint: 209.85.220.170 mail-vc0-f170.google.com  
Received: from [209.85.220.170] ([209.85.220.170:41748] helo=mail-vx0-f170.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id AA/67-30075-43A65AF4 for <internals@lists.php.net>; Sat, 05 May 2012 13:58:13 -0400
Received: by vcbfo14 with SMTP id fo14so680132vcb.29
        for <internals@lists.php.net>; Sat, 05 May 2012 10:58:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=cK15H/x/tHaH46WkXQP4qEJNsTkMPg9lAbYnLY4Ef+0=;
        b=d1q3V+1uQijFppfzhKcd8A4MYhE2MkjIlqs666YnY0v/tCJPPv+ZrDXdYlANjqc33r
         n9P7dO2jQQCic7BScJx51adEAUWEO/xGNLkt/tBqvq0viBGxF6g2oLYBKBAKldeGWmY3
         MafzVQ0Vr0994c6yzpvXNKQ/L/DBpKu7Hj6PhjcXViLNEZnUBW4k7gY/nRwYEzhsEBLG
         dA6n7uwwkbnLiYgitOD0+xd61qg88zBdUv3Kw0lUgc33NGwgWFBN/zIDR8Zi1z4h+jrY
         q+zsKuVO7/iSkNdU3kVfeRiGeW4RFKIGaxmrT2swRVpjiDua0ivppOdrBv9c/Db7tJrS
         ILKw==
MIME-Version: 1.0
Received: by 10.52.36.40 with SMTP id n8mr4151360vdj.84.1336240690304; Sat, 05
 May 2012 10:58:10 -0700 (PDT)
Received: by 10.220.124.140 with HTTP; Sat, 5 May 2012 10:58:10 -0700 (PDT)
In-Reply-To: <58e8965ff524a3ff98ba3cbb5028ddba.squirrel@www.l-i-e.com>
References: <b7af37b0e8d38a500944f542b7ff234e.squirrel@www.l-i-e.com>
	<CAH-PCH6oBe1uVtWoLWyr3+FvEVBxaWZNK+JWtRLx6U0FzSgXDQ@mail.gmail.com>
	<58e8965ff524a3ff98ba3cbb5028ddba.squirrel@www.l-i-e.com>
Date: Sat, 5 May 2012 19:58:10 +0200
Message-ID: <CAH-PCH7O=ZNJrxpybSULOdGLHi-nnNk6e9tdW9ko7RPDygpHVA@mail.gmail.com>
To: Richard Lynch <ceo@l-i-e.com>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=20cf3079b7fcae153004bf4dc7b0
Subject: Re: [PHP-DEV] JPEG Upload
From: tyra3l@gmail.com (Ferenc Kovacs)

--20cf3079b7fcae153004bf4dc7b0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On Sat, May 5, 2012 at 7:50 PM, Richard Lynch <ceo@l-i-e.com> wrote:

> On Sat, May 5, 2012 12:29 pm, Ferenc Kovacs wrote:
> > On Sat, May 5, 2012 at 6:32 PM, Richard Lynch <ceo@l-i-e.com> wrote:
> >
> >> On Tue, April 10, 2012 1:13 pm, John Crenshaw wrote:
> >> >In
> >> > most systems you can upload *anything* with a .jpg extension and
> >> the
> >> > app will take it, so you can still include the file
> >>
> >> People don't use imagecreatefromjpeg() to be sure it isn't some ware
> >> or executable or PHP script disguised as a JPEG?!
> >>
> >> That's just crazy.
> >>
> >> And inexcusable in a framework.
> >>
> >> Somebody might be able to craft a "JPEG" that validates and still
> >> manages to somehow parse some PHP in the middle... Probably using
> >> JPEG
> >> comments so it's easier.
> >>
> >>
> > yeah, and injecting php code through the jpeg comments isn't new also,
> > see
> >
> http://ha.ckers.org/blog/20070604/passing-malicious-php-through-getimages=
ize/
> > but
> > I bet I could find even older posts discussing the topic.
> > so imo the correct remedy for this situation is to prevent your
> > uploaded
> > files to be executed at the first place, instead of trying to write an
> > error-prone method to detect malicious content inside your uploaded
> > media
> > files.
>
> getImageSize is not better than file Info...
>

I didn't talked about at all.


>
> If the whole thing parses as an image with imagecreatefromjpeg() I
> should think that's a bit tougher to create a hack that works.
>

maybe, but would you bet your site's security on it?


>
> Then one can strip off the exif info with the comments, I believe.
>

yeah, you just have to totally understand all of your supported media
formats just to make sure that there is no other way to inject malicious
php code.


>
> And, yes, ideally one would keep images in a totally separate
> directory not even in the webtree... Which I do, but some folks can
> bear the cost of passing the image "through" PHP.
>

yeah, for bigger sites, you would already serve the static assets through
some other http server (something lightweight more suited for serving
static files, like nginx, cherokee, lighty, etc.) on a separate domain, on
a separate box.
even if you serve those on the same vhost, you could still do engine off (
http://www.php.net/manual/en/apache.configuration.php#ini.engine) for that
directory where you keep your uploaded files, which would prevent the
direct execution of those files.
one could still execute those malicious files if you have a Local File
Inclusion vulnerability but if you do, that's game over for most
cases already.

--=20
Ferenc Kov=C3=A1cs
@Tyr43l - http://tyrael.hu

--20cf3079b7fcae153004bf4dc7b0--