1

Is deleting the EXIF data from images using PHP enough to prevent malicious codes from being executed in a server?

I want to protect the server against the practices described in this blog post:

<?php

$img = imagecreatefromjpeg('malicious_codes.jpg');
$w = imagesx($img);
$h = imagesy($img);

$trans = imagecolortransparent($img);
if($trans >= 0) {

$rgb = imagecolorsforindex($img, $trans);

$oldimg = $img;
$img = imagecreatetruecolor($w,$h);
$color = imagecolorallocate($img,$rgb['red'],$rgb['green'],$rgb['blue']);
imagefilledrectangle($img,0,0,$w,$h,$color);
imagecopy($img,$oldimg,0,0,0,0,$w,$h);

}

imagejpeg($img,'safe_image.jpg');

?>
kalehmann
  • 4,821
  • 6
  • 26
  • 36
Fábio Linhares
  • 107
  • 1
  • 14
  • 1
    I think this is only harmful when you use include or require to open such a jpeg (like in the example). The main difference to readfile/file_get_contents/... is that these statements evaluate the content after reading. At least you should ensure to mask exif data with htmlspecialchars before you output it. – sofl Nov 06 '13 at 13:33
  • so i don't need to do all this http://hungred.com/useful-information/secure-file-upload-check-list-php/ right ? – Fábio Linhares Nov 06 '13 at 13:34
  • Content Type Verification - Verify Image File Content - Verify File Extension - Verify The Session - Random File Name ...etc – Fábio Linhares Nov 06 '13 at 13:37
  • It depends what you want todo with the uploaded files. – sofl Nov 06 '13 at 13:38
  • the images are only to be returned from the server as an html – Fábio Linhares Nov 06 '13 at 13:40
  • i just want to know if there is any function that while i am using cg that could ignite any codes within a image file – Fábio Linhares Nov 06 '13 at 13:43
  • after file upload, you can check if the image is an valid image file. You can do this with imagick or `getimagesize`. After this you can save this file where ever you want and later echo the new destination as an html image tag. there is nothing harmful at all until here. – sofl Nov 06 '13 at 13:48
  • But once i am replacing the file and deleting exif data at the same time i do not need the original... i will edit my question with a example code... – Fábio Linhares Nov 06 '13 at 13:51
  • There is absolutely no reason to be afraid of such injections with the shown code...Have you tried this code with the evil image from the website yet? (http://php.webtutor.pl/wp-content/uploads/2011/04/php-logo-virus.jpg) – sofl Nov 06 '13 at 13:57
  • By the way. The EXIF information get lost with your code. – sofl Nov 06 '13 at 14:02
  • yup, i injected a image file using that program and what happened is that the codes i injected simply where removed on the gd image ("safe_image.jpg"), but what i was afraid was the "injections with the shown code". But once you say there is no problem then i think you just answered my question .. thanks :) – Fábio Linhares Nov 06 '13 at 14:02
  • i was afraid that using those functions to generate a new file could ignite any codes before generating a new file – Fábio Linhares Nov 06 '13 at 14:04
  • The link you provided is outdated: now it'll redirect to an adv/spam site! (http://php.webtutor.pl/en/2011/05/13/php-code-injection-a-simple-virus-written-in-php-and-carried-in-a-jpeg-image/) – user2342558 Aug 27 '19 at 14:16

2 Answers2

2

This will show you EXIF information from JPEG file in PHP. 

$uploadfile = "uploaded/pic.jpg";
$exif = exif_read_data($uploadfile, 0, true);
echo "<b>Your file</b><br />\n";
foreach ($exif as $key => $section) {
    foreach ($section as $name => $val) {
        echo "$key.$name: $val<br />\n";
    }
}

And this piece of code should delete all EXIF information

$img = new Imagick($uploadfile);
$img->stripImage();
$img->writeImage($uploadfile);

You can try it here: https://iconnaut.com/exif.php

buffy.cz
  • 66
  • 5
0

I think that if you manipulate the image of any way (resize for example), it lose some exif data. At least in an example in java happened this.

HERE also has an example using ExifTool.

EDIT:

see this post: Remove EXIF data from JPG using PHP

Community
  • 1
  • 1
fdam
  • 820
  • 1
  • 11
  • 25
  • i know how to remove the exif data, what i need to know is if it is a good measure to prevent malicious codes in jpg, gif or png like those in the link i provided in the question – Fábio Linhares Nov 06 '13 at 13:05
  • I had understood wrong, sorry. So, for security, if I don't need of exif data, I would remove all. But sincerely I don't know if this is the better way to prevent this. – fdam Nov 06 '13 at 13:42
  • The reason i ask is because essentially all the usual measures are to prevent the user from finding his file in the server, changing it, or doing whatever he wants to be able to execute the codes in it... – Fábio Linhares Nov 06 '13 at 13:46