lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <BANLkTikgZexNZWMC3BdGpoETzLdAyVpMYw@mail.gmail.com>
Date: Sun, 19 Jun 2011 02:58:16 +0200
From: "HI-TECH ." <isowarez.isowarez.isowarez@...glemail.com>
To: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Php gif upload thumbnail creation remote exploit

This technique describes how to exploit apps which encode pictures during a
Php upload. Embedding Php code inside gif files which are uploaded is a
known technique to execute arbitrary code on a Apache Php installation. Now
what can one do when the code which uploads the file processes and encodes
the file to a thumbnail and only this thumbnail is accessible remotely with
the correct extension? The gif file is crunshed and the embedded Php code
disappears, bad situation you might think. The solution is to zero out all
size fields of the gif file using a hex editor. The result after the upload
is that the encoding routine processes the file without modifying it because
of size checks. The Php code stays embedded in the file. -kc

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ