Re: Interesting article about PHP security exploit by GIF files

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 6/20/07, tedd <tedd@xxxxxxxxxxxx> wrote:

At 12:53 PM -0400 6/20/07, Daniel Brown wrote:
>
>    No, not the upload and execution, per se, but rather using images
>to contain processable PHP code.
>
>--
>Daniel P. Brown


Daniel:

Wow! Now that's something I would like to see -- you do have a demo?

As far as "legitimate reasons", how about image buttons that execute
code without having to tied them to "href=" statements. Like a "grab
this image for that function" sort of thing. I see lot's of
possibilities.

Cheers,

tedd
--
-------
http://sperling.com  http://ancientstones.com  http://earthstones.com



   One reason I used the method was as an added layer of security,
embedding code I wanted to keep more secret in a less-than-obvious
file, using steganography (which is something you learn in the
fundamentals of computer forensics, and I just carried it to my
programming as well).  For example, if I had some hard-coded
configuration parameters, I could embed them into a .gif image, which
would display fine on the server if viewed, but if opened in a text
editor, would show the obfuscated binary plus the configuration
parameters in plain text.  Of course, the file still shouldn't be in a
web-accessible directory, and could still be viewed by finding out
what files are included, but through things like Zend Optimizer and
such, it makes it a bit more trivial.

   Anyone with any knowledge of stack tracing could still get the
files and information, but it would knock the skript kiddies off the
trail.  Plus, it was just something different and fun to do while I
was working for the government.  You get a lot of those, "wow, that's
really high-tech" statements from the project managers with eight
years of school and zero-experience ("make sure you turn on your
Microsoft virus scanner so that you won't ever get a virus" was one of
my favorite quotes).

<rant sigh="on">
   All-in-all, I don't miss that aspect of it.  Some of the managers
were so worried about us unveiling new things because they couldn't
follow along.  Rather than ask questions and try to understand how our
stuff worked, they'd shoot us down and, in turn, continue to burn the
budget and resources on some really ludicrous "enterprise" technology.
It's a shame.... discoveries by many can be lost in the pride of one.
</rant>
--
Daniel P. Brown
[office] (570-) 587-7080 Ext. 272
[mobile] (570-) 766-8107

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux