[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <BANLkTikgZexNZWMC3BdGpoETzLdAyVpMYw@mail.gmail.com>
Date: Sun, 19 Jun 2011 02:58:16 +0200
From: "HI-TECH ." <isowarez.isowarez.isowarez@...glemail.com>
To: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Php gif upload thumbnail creation remote exploit
This technique describes how to exploit apps which encode pictures during a
Php upload. Embedding Php code inside gif files which are uploaded is a
known technique to execute arbitrary code on a Apache Php installation. Now
what can one do when the code which uploads the file processes and encodes
the file to a thumbnail and only this thumbnail is accessible remotely with
the correct extension? The gif file is crunshed and the embedded Php code
disappears, bad situation you might think. The solution is to zero out all
size fields of the gif file using a hex editor. The result after the upload
is that the encoding routine processes the file without modifying it because
of size checks. The Php code stays embedded in the file. -kc
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists