PHP security exploit with GIF images

Recently, I have read some interesting articles about the “PHP security exploit that can be performed using specially crafted GIF images that embed malicious PHP code”.

The problem discovered is that you can insert PHP codes in a GIF image. And surprisingly, it will still be recognized as a valid image by the PHP-function getimagesize().

Definition of PHP-function getimagesize() in PHP Manual:-
The getimagesize() function will determine the size of any GIF, JPG, PNG, SWF, SWC, PSD, TIFF, BMP, IFF, JP2, JPX, JB2, JPC, XBM, or WBMP image file and return the dimensions along with the file type and a height/width text string to be used inside a normal HTML tag.
If accessing the filename image is impossible, or if it isn’t a valid picture, getimagesize() will return FALSE and generate an error of level E_WARNING.

However, how far for the statement - “If accessing the filename image is impossible, or if it isn’t a valid picture, getimagesize() will return FALSE” is true? No matter what your answer will be, my suggestion is that from now onward, you should never trust on getimagesize() for validating if a given image file is in a valid image format.

The following would be a practical example that I had worked around for proving such GIF exploitation problem faced by the PHP community.

My image file was a 32 x 32 pixels GIF-image: logo.gif. I edited it by a Hex Editor (i.e. a binary files editor).

Editing Image In Hex Editor

For my case, I appended some PHP codes at the end of the file (as shown in the Diagram above). Ok, now just save it as a PHP file: logo.php.

After that, you can just browse the logo.php from your browser. You will get the result as shown in the diagram below. The PHP script embedded in the “crafted image-GIF” was executed successfully!

Browse a crafted gif image.

Next, we can write a script that use getimagesize() to verify the logo.php. The written script is shown in the Diagram below. Ok, let’s see what would be the output of the script:-

Malicious PHP Scripts

Surprisingly, the output will be…

Output of getimagesize function

Yup! You should now trust your eyes rather than the getimagesize() function. As what you are seeing, getimagesize() says “logo.php is a valid 32 x 32 pixels GIF-image.” Too bad ;(

At this stage, you should be aware of the malicious security problem that would arise from this issue. Just imagine what will happen if you had written a Web System that depends fully on getimagesize() for validating the web users’ uploading images? Obviously, you will pay for it! Because not all of the humankinds are kind enough by just echoing “Hello World”!!!

June 22nd, 2007 @ 04:29 AM • Filed under Php

3 Comments

Tim said,

Comment • June 23, 2007 @ 12:34 am

It’s not really a problem if you only allow images with valid extensions to be uploaded in the first place.

A correctly written script would not be affected.

droool said,

Comment • June 23, 2007 @ 3:12 am

now that seems to be another serious loop hole for php coded site

admin said,

Comment • June 23, 2007 @ 4:12 am

Ya, I am agree with your point. The security problems are rarely come from the PHP itself, but it depends on how the coders writing their codes! Anyway, the reason for posting this issue is just to point out that the getimagesize() function can be exploited and would failed in validating the image, even though the PHP Manual itself claim that this function will return FALSE for an invalid image.

RSS feed for comments on this post. TrackBack URI

Leave a comment

You must be logged in to post a comment.