FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » FUDforum Development » Bug Reports » avatar upload
Show: Today's Messages :: Unread Messages :: Show Polls :: Message Navigator
| Subscribe to topic | Bookmark topic 
Switch to threaded view of this topic Create a new topic Submit Reply
avatar upload [message #26868] Thu, 18 August 2005 08:06 Go to next message
Riklaunim is currently offline  Riklaunim   Poland
Messages: 3
Registered: August 2005
Karma: 0
Junior Member
add to buddy list
ignore all messages by this user
You check the avatar with getimagesize which can be fooled, in linux/unix:
cat image.png code.php > hack.php

just adds at the end of a graphic file PHP code. getimagesize will returm image/png type for hack.php Smile $_FILES['form_name']['type'] - application/x-php Smile I had to make a quick fix on one of Polish forums (uses 2.6.12) so at the top of index.php I've added:
IF(isset($_FILES['avatar_upload']['type']) and $_FILES['avatar_upload']['type'] != 'image/png' and $_FILES['avatar_upload']['type']  != 'image/jpeg' and $_FILES['avatar_upload']['type'] != 'image/gif')
		{
		die('NO HACKING AROUND');
		}
	require('./GLOBALS.php');

Smile (no time to search where oh where is that form PHP code... Razz)
Re: avatar upload [message #26870 is a reply to message #26868] Thu, 18 August 2005 09:02 Go to previous messageGo to next message
Ilia is currently offline  Ilia   Canada
Messages: 13241
Registered: January 2002
Karma: 0
Senior Member
Administrator
Core Developer
add to buddy list
ignore all messages by this user
Ok, and how would php code @ the end of an image file be a problem?

FUDforum Core Developer
Re: avatar upload [message #26885 is a reply to message #26868] Fri, 19 August 2005 05:08 Go to previous messageGo to next message
Riklaunim is currently offline  Riklaunim   Poland
Messages: 3
Registered: August 2005
Karma: 0
Junior Member
add to buddy list
ignore all messages by this user
PHP code execution (drop some tables?) or steal files like /etc/passwd and so one...
http://www.linux.com.pl/forum/images/custom_avatars/6746.php
PHP 4 will execute such file. PHP5 rather not Smile which is interesting.
Re: avatar upload [message #26887 is a reply to message #26885] Fri, 19 August 2005 09:30 Go to previous messageGo to next message
Ilia is currently offline  Ilia   Canada
Messages: 13241
Registered: January 2002
Karma: 0
Senior Member
Administrator
Core Developer
add to buddy list
ignore all messages by this user
I am bit confused, are you saying that if you add some php code @ the end of a image and upload such image to the server. Then when you download this image with image/* mime type the php code ends up being executed? I am having a very hard time believing this to be the case.

FUDforum Core Developer
Re: avatar upload [message #26908 is a reply to message #26868] Sat, 20 August 2005 04:55 Go to previous messageGo to next message
Riklaunim is currently offline  Riklaunim   Poland
Messages: 3
Registered: August 2005
Karma: 0
Junior Member
add to buddy list
ignore all messages by this user
If you open an image in a notepad you will see a lot of weird things - binary file. If you add such thing before <?PHP functions like getimagesize will think that foo.php is a binary image file Smile It has been described on many PHP security sites.

Check this file. You will be able to upload it as an avatar here - but it is a .php file Smile
  • Attachment: upload.php
    (Size: 1.31KB, Downloaded 464 times)
Re: avatar upload [message #159280 is a reply to message #26908] Wed, 20 May 2009 07:20 Go to previous message
naudefj is currently offline  naudefj   South Africa
Messages: 3624
Registered: December 2004
Karma: 17
Senior Member
Administrator
Core Developer
remove from buddy list
ignore all messages by this user
This vulnerability was fixed in FUDforum 2.7.0 on 23 August 2005, just days after it was discovered. However, it's strange that so many so-called "security" sites still lists it. Come-on guys, it's already 2009 and time for you to update your outdated sites.
Quick Reply
Formatting Tools:   
  Switch to threaded view of this topic Create a new topic
Previous Topic: Maillist.php patch for pure html mails
Next Topic: NNTP - Conversion of special characters (UTF-8) doesn't work
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Mon Oct 23 16:27:19 EDT 2017

Total time taken to generate the page: 0.00597 seconds