FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » FUDforum Development » Bug Reports » avatar upload
Show: Today's Messages :: Polls :: Message Navigator
Switch to threaded view of this topic Create a new topic Submit Reply
avatar upload [message #26868] Thu, 18 August 2005 12:06 Go to next message
Riklaunim is currently offline  Riklaunim   Poland
Messages: 3
Registered: August 2005
Karma: 0
Junior Member
You check the avatar with getimagesize which can be fooled, in linux/unix:
cat image.png code.php > hack.php

just adds at the end of a graphic file PHP code. getimagesize will returm image/png type for hack.php Smile $_FILES['form_name']['type'] - application/x-php Smile I had to make a quick fix on one of Polish forums (uses 2.6.12) so at the top of index.php I've added:
IF(isset($_FILES['avatar_upload']['type']) and $_FILES['avatar_upload']['type'] != 'image/png' and $_FILES['avatar_upload']['type']  != 'image/jpeg' and $_FILES['avatar_upload']['type'] != 'image/gif')
		{
		die('NO HACKING AROUND');
		}
	require('./GLOBALS.php');

Smile (no time to search where oh where is that form PHP code... Razz)
Re: avatar upload [message #26870 is a reply to message #26868] Thu, 18 August 2005 13:02 Go to previous messageGo to next message
Ilia is currently offline  Ilia   Canada
Messages: 13241
Registered: January 2002
Karma: 0
Senior Member
Administrator
Core Developer
Ok, and how would php code @ the end of an image file be a problem?

FUDforum Core Developer
Re: avatar upload [message #26885 is a reply to message #26868] Fri, 19 August 2005 09:08 Go to previous messageGo to next message
Riklaunim is currently offline  Riklaunim   Poland
Messages: 3
Registered: August 2005
Karma: 0
Junior Member
PHP code execution (drop some tables?) or steal files like /etc/passwd and so one...
http://www.linux.com.pl/forum/images/custom_avatars/6746.php
PHP 4 will execute such file. PHP5 rather not Smile which is interesting.
Re: avatar upload [message #26887 is a reply to message #26885] Fri, 19 August 2005 13:30 Go to previous messageGo to next message
Ilia is currently offline  Ilia   Canada
Messages: 13241
Registered: January 2002
Karma: 0
Senior Member
Administrator
Core Developer
I am bit confused, are you saying that if you add some php code @ the end of a image and upload such image to the server. Then when you download this image with image/* mime type the php code ends up being executed? I am having a very hard time believing this to be the case.

FUDforum Core Developer
Re: avatar upload [message #26908 is a reply to message #26868] Sat, 20 August 2005 08:55 Go to previous messageGo to next message
Riklaunim is currently offline  Riklaunim   Poland
Messages: 3
Registered: August 2005
Karma: 0
Junior Member
If you open an image in a notepad you will see a lot of weird things - binary file. If you add such thing before <?PHP functions like getimagesize will think that foo.php is a binary image file Smile It has been described on many PHP security sites.

Check this file. You will be able to upload it as an avatar here - but it is a .php file Smile
  • Attachment: upload.php
    (Size: 1.31KB, Downloaded 974 times)
Re: avatar upload [message #159280 is a reply to message #26908] Wed, 20 May 2009 11:20 Go to previous message
naudefj is currently offline  naudefj   South Africa
Messages: 3771
Registered: December 2004
Karma: 28
Senior Member
Administrator
Core Developer
This vulnerability was fixed in FUDforum 2.7.0 on 23 August 2005, just days after it was discovered. However, it's strange that so many so-called "security" sites still lists it. Come-on guys, it's already 2009 and time for you to update your outdated sites.
  Switch to threaded view of this topic Create a new topic Submit Reply
Previous Topic: Maillist.php patch for pure html mails
Next Topic: NNTP - Conversion of special characters (UTF-8) doesn't work
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Thu Nov 21 14:48:47 GMT 2024

Total time taken to generate the page: 0.02589 seconds