Is it possible to execute a php script in an image file?

  • I have an image upload php website. Users can upload images to my website. A user claims he can hack my website using an uploaded image.

    I opened all the images that he uploaded to my server with notepad. The last line of one image is:

    À[email protected] ;
    <?php
    
    echo "test ok";
    ?>
    

    Can he hack my website using this image? How do I prevent users from uploading images like this?

    Please tell us what check you already perform on the file. Do you check the extension at least? Some answers make assumptions on that.

    extennsion is .gif

    How do you display the image? The extension .gif at least reduces the possibility of code execution. If you use require() and not standard HTML then it's dangerous, else David Mah is right.

  • GBC

    GBC Correct answer

    8 years ago

    Image uploads (any files in general) are very hard to make completely secure - especially in PHP, which provides many attack vectors.

    If you, for example display the image by calling

    require($someImage);
    

    and that image has PHP code inside (like the one you posted), it may be interpreted and executed as such.

    My guess is, if he claims he's owned your site, he most probably has. The image you've provided in itself won't do anything except print "test ok", but that code could easily be exchanged for some that gives unauthorized (even completely unrestricted) access to your site and server.

    To make sure the file uploaded to your site is in fact an image, re-process it using GD (or Imagick), and save the processed image. It's bad practice to save the original image, especially using the original file name, as this opens up for many other attacks (for example directory traversal and file overwriting).

    More information: https://www.owasp.org/index.php/Unrestricted_File_Upload

    +1. This seems to me to be the most likely attack vector in this case. If you have another page that does an `include()` or `require()` where the filename can be manipulated by the caller, all he has to do is work out how to call that. If your site displays PHP error messages, they may have given him clues as to how to proceed with this.

    How many times does a developer call require($someImage);?.

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM