FUDforum: Bug Reports » avatar upload

Home » FUDforum Development » Bug Reports » avatar upload

Show: Today's Messages :: Polls :: Message Navigator

avatar upload [message #26868]

Thu, 18 August 2005 12:06

Riklaunim

Messages: 3
Registered: August 2005

Karma: 0

Junior Member

You check the avatar with getimagesize which can be fooled, in linux/unix:

cat image.png code.php > hack.php

just adds at the end of a graphic file PHP code. getimagesize will returm image/png type for hack.php Smile

$_FILES['form_name']['type'] - application/x-php Smile

I had to make a quick fix on one of Polish forums (uses 2.6.12) so at the top of index.php I've added:

IF(isset($_FILES['avatar_upload']['type']) and $_FILES['avatar_upload']['type'] != 'image/png' and $_FILES['avatar_upload']['type']  != 'image/jpeg' and $_FILES['avatar_upload']['type'] != 'image/gif')
		{
		die('NO HACKING AROUND');
		}
	require('./GLOBALS.php');

(no time to search where oh where is that form PHP code... Razz

)

Report message to a moderator

Re: avatar upload [message #26870 is a reply to message #26868]

Thu, 18 August 2005 13:02

Ilia

Messages: 13241
Registered: January 2002

Karma: 0

Senior Member
Administrator
Core Developer

Ok, and how would php code @ the end of an image file be a problem?

FUDforum Core Developer

Report message to a moderator

Re: avatar upload [message #26885 is a reply to message #26868]

Fri, 19 August 2005 09:08

Riklaunim

Messages: 3
Registered: August 2005

Karma: 0

Junior Member

PHP code execution (drop some tables?) or steal files like /etc/passwd and so one...
http://www.linux.com.pl/forum/images/custom_avatars/6746.php
PHP 4 will execute such file. PHP5 rather not Smile

which is interesting.

Report message to a moderator

Re: avatar upload [message #26887 is a reply to message #26885]

Fri, 19 August 2005 13:30

Ilia

Messages: 13241
Registered: January 2002

Karma: 0

Senior Member
Administrator
Core Developer

I am bit confused, are you saying that if you add some php code @ the end of a image and upload such image to the server. Then when you download this image with image/* mime type the php code ends up being executed? I am having a very hard time believing this to be the case.

FUDforum Core Developer

Report message to a moderator

Re: avatar upload [message #26908 is a reply to message #26868]

Sat, 20 August 2005 08:55

Riklaunim

Messages: 3
Registered: August 2005

Karma: 0

Junior Member

If you open an image in a notepad you will see a lot of weird things - binary file. If you add such thing before <?PHP functions like getimagesize will think that foo.php is a binary image file Smile

It has been described on many PHP security sites.

Check this file. You will be able to upload it as an avatar here - but it is a .php file Smile

Attachment: upload.php
(Size: 1.31KB, Downloaded 932 times)

Report message to a moderator

Re: avatar upload [message #159280 is a reply to message #26908]

Wed, 20 May 2009 11:20

naudefj

Messages: 3771
Registered: December 2004

Karma: 28

Senior Member
Administrator
Core Developer

This vulnerability was fixed in FUDforum 2.7.0 on 23 August 2005, just days after it was discovered. However, it's strange that so many so-called "security" sites still lists it. Come-on guys, it's already 2009 and time for you to update your outdated sites.

Report message to a moderator

Previous Topic:	Maillist.php patch for pure html mails
Next Topic:	NNTP - Conversion of special characters (UTF-8) doesn't work

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

]

Current Time: Sun May 26 16:21:00 GMT 2024

Total time taken to generate the page: 0.02802 seconds