• On The Insider: Britney's Bikini-Clad Top 10
June 20, 2007 9:07 AM PDT

PHP exploit code plants itself in GIF

by Dawn Kawamoto
  • Font size
  • Print
  • 8 comments

Security researchers on Tuesday found PHP exploit code embedded in a GIF on a major image hosting site. The exploit code slipped through the proverbial gates with the aid of a legitimate image at the beginning of the file, according to a posting on the Sans Internet Storm Center.

"It is a clever way to pass exploit code to others without it setting off alarms or attracting attention all while bypassing network security tools," the Sans security blog noted.

Malicious attackers planted PHP coded exploit script within an image file. PHP is often used as a programming language to create dynamic Web sites.

Once this type of malicious GIF is uploaded to a server, it can create havoc by remotely allowing more exploits to be deployed on the system, said Johannes Ullrich, chief research officer for the Sans Institute.

When users download the image to view it, the server parses the PHP code and the exploit is executed, as it serves the image to the user.

Over the past six months, this type of technique has been cropping up with greater frequency--from small family Web sites to, more recently, a major image hosting site, Ullrich said.

Dawn Kawamoto covers enterprise security and financial news relating to technology for CNET News. E-mail Dawn.
Topics:

Security

Tags:

Security,

PHP GIF exploit

Share:
Digg
Del.icio.us
Reddit
Recent posts from News Blog
Nvidia puts NForce chipset development on hold
Opera 10 browser is here
Neil Young Archives Blu-ray: Rip off?
Acronis revises survey results about backup habits
Acronis miscalculates data on users' bad backup habits
Flickr co-founder presses beta button
Comcast, Sony open retail store
Cox to try coaxing the Internet into submission
Related
Microsoft patches critical hole in Windows kernel
Microsoft warns of IE exploit code in the wild
Apple updates Safari for security
Apple plugs holes for domain spoofing, other attacks
Fake CDC vaccine e-mail leads to malware
Expert says Adobe Flash policy is risky
Phishing, worms spike this year, say Microsoft and McAfee
A child porn-planting virus: Threat or bad defense?
Add a Comment (Log in or register) (8 Comments)
  • prev
  • 1
  • next
so what was the site?
by afalubi June 20, 2007 9:46 AM PDT
Would be nice to know what the site was, to rule out the possibility that we were affected...
Reply to this comment
read
by anonymous8675309 June 20, 2007 11:45 AM PDT
Didn't you read the article.
The person downloading the graphic isn't affected, it is the server hosting the site that gets exploited.
It gets exploited when someone makes a request for that image.

This is basically a way to get arbitrary code running on a server by uploading a special .gif file.
good question
by thebumboys June 20, 2007 10:00 AM PDT
Security experts often work for security companys whose profit may rely on propogation of security fears.
Reply to this comment
PHP locally
by dragonbite June 20, 2007 10:17 AM PDT
If the coding is PHP and you download it on your computer, unless your computer can run PHP (like it has Apache or IIS w/PHP running) how can it run the PHP code?
Reply to this comment
Not your computer
by timber2005 June 20, 2007 10:32 AM PDT
Its being run on the server to open exploits when the user downloads an image.
unlikely . . .
by holdencaulfield June 20, 2007 10:40 AM PDT
From the article: "When users download the image to view it, the server parses the PHP code and the exploit is executed, as it serves the image to the user."

So, in other words, it's being run on the server, not on the client end (more details at http://isc.sans.org/diary.html?storyid=3003). It's a bi of a stretch to be found in the wild, as the server has to be configured to handle files with extensions of .gif as PHP files. Not unheard of, but also not very common . . .
story is ridiculous
by drmeister June 20, 2007 10:48 AM PDT
PHP doesn't execute image files. It's only going to be if the name is image.gif.php or some other code is referencing. This story is ridiculous. Server is not going to execute an image file when someone browses to a site
Reply to this comment
Bad Article Title
by anonymous8675309 June 20, 2007 11:51 AM PDT
PHP code isn't planting itself anywhere.
Some hacker put PHP code in the GIF and uploaded it, it isn't propagating itself like the title suggests. Anybody with half a brain who reads that tiny article would know that.
Shame on you CNET.
Now look at all these guys replying comments to this story who are confused...its all your fault.
Reply to this comment
(8 Comments)
  • prev
  • 1
  • next

Inside the Apple, er, Microsoft Store

Although Redmond's foray into retail bears a big resemblance to Apple's approach, Microsoft has added some distinctive features to draw casual PC buyers and techies alike.

Big marketing budget drives Moto Droid sales

Verizon and Motorola are spending big bucks--$100 million--on marketing the new smartphone, and it looks like it will pay off with 1 million devices sold by year's end.

About News Blog

Recent posts on technology, trends, and more.

Add this feed to your online news reader

advertisement
advertisement

Inside CNET News

Scroll Left Scroll Right
News
News site map
Latest headlines
Contact News
News staff
Corrections
CNET blogs
Popular topics
Apple iPhone
Apple iPod
Cell phones
Dell
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET