Jojo Siao

I just want to share with other PHP Guys out there concerning the PHP GIF Image security issue.

Let’s say an attacker registers to your site and being asked an avatar photo. The attacker uploads a PHP file named avatar.gif.php.

After the image is uploaded in the directory where it keeps all images, the attacker will attempt to make an HTTP request with the GIF image that contains PHP code like http://site.com/images/avatar.gif.php.

Solution

1. As per suggestions in the phpclasses.org ,

A. you may configure your web server to limit access to the images directory to accept requests ending in gif, jpg, png extensions.
B. do not use getimagesize function to verify if the file uploaded is actually a photo.
C. to serve the image with readline function.

I just learned from the PHPUGPH blog that the its forum has been attacked by this security exploit. Here’s the link:
http://www.phpugph.com/blog/2009/06/24/update-phpugphs-smf-maliciously-attacked-now-back-online/

The good news is that everything is fixed and back to normal. :D