7

Possible Duplicate:
Is it possible to execute PHP with extension file.php.jpg?

I accidentally left a fileupload to my site, and it got hacked (STUPID ME). The hacker had uploaded a file index.php.jpg with the uploader, and simply accessed my site (it was a shell99 script) with it, but I can't understand why it will work. Someone smart enough to explain this?

Community
  • 1
  • 1
  • 5
    Is the file named `index.php.jpg` or `index.jpg.php`? – Дамян Станчев Oct 02 '12 at 13:48
  • Because in fact _nobody_ is interested in a file extension ;) it is just a hint on what _may_ be inside the file, but nothing more. – KingCrunch Oct 02 '12 at 13:49
  • If it was a .php you are a silly monkey :P – Chris Oct 02 '12 at 13:49
  • 3
    [Is it possible to execute PHP with extension file.php.jpg?](http://stackoverflow.com/questions/8025236/is-it-possible-to-execute-php-with-extension-file-php-jpg) – smilly92 Oct 02 '12 at 13:50
  • @KingCrunch this would be perfect, but it is not true. Using "extension" is much faster that checking file magic bytes, so HTTP relies on that. – Marcin Orlowski Oct 02 '12 at 13:50
  • @WebnetMobile.com Oh ... HTTP is just a "stupid" protocol, that doesn't even rely on files :D A webserver _may_ rely on it, because it is configured to do so (by you or a hacker, or whoever). It's always a human (namely: an admin), that tells the machine to rely on it. – KingCrunch Oct 02 '12 at 13:51
  • @KingCrunch I meant `httpd` not `HTTP` as I wrote. Not sure does not by default rely on extension, but I think most would as it is just faster. – Marcin Orlowski Oct 02 '12 at 15:14

2 Answers2

8

Apache controls what file extensions can and cannot execute PHP. This can be controlled on a server-level, or a per-site level (such as with .htaccess).

By default, a .jpg extension should not allow PHP execution. Perhaps the filename was really index.jpg.php and you have misread. However, in the event that the filename is really index.php.jpg, you'll need to look into all possible locations and lock-down your configuration to only allow .php extensions to execute PHP.

newfurniturey
  • 37,556
  • 9
  • 94
  • 102
  • 1
    It was index.php.jpg, because the script only accepted files with extensions .jpg or .png. I don't have the site on a server that I own, so I don't have access to the apache config, so I'll ask this from the server owner- –  Oct 02 '12 at 16:00
3

Filename was either forged, with \x000 inserted which fooled httpd, or .htaccess was planted as well to enforce PHP for jpg files.

Marcin Orlowski
  • 72,056
  • 11
  • 123
  • 141