PHP exploit code plants itself in GIF

Security researchers on Tuesday found PHP exploit code embedded in a GIF on a major image hosting site. The exploit code slipped through the proverbial gates with the aid of a legitimate image at the beginning of the file, according to a posting on the Sans Internet Storm Center.

"It is a clever way to pass exploit code to others without it setting off alarms or attracting attention all while bypassing network security tools," the Sans security blog noted.

Malicious attackers planted PHP coded exploit script within an image file. PHP is often used as a programming language to create dynamic Web sites.

Once this type of malicious GIF is uploaded to a server, it can create havoc by remotely allowing more exploits to be deployed on the system, said Johannes Ullrich, chief research officer for the Sans Institute.

When users download the image to view it, the server parses the PHP code and the exploit is executed, as it serves the image to the user.

Over the past six months, this type of technique has been cropping up with greater frequency--from small family Web sites to, more recently, a major image hosting site, Ullrich said.

[afalubi]

so what was the site?

Would be nice to know what the site was, to rule out the possibility that we were affected...

[anonymous8675309]

read

Didn't you read the article.
The person downloading the graphic isn't affected, it is the server hosting the site that gets exploited.
It gets exploited when someone makes a request for that image.

This is basically a way to get arbitrary code running on a server by uploading a special .gif file.

[thebumboys]

good question

Security experts often work for security companys whose profit may rely on propogation of security fears.

[dragonbite]

PHP locally

If the coding is PHP and you download it on your computer, unless your computer can run PHP (like it has Apache or IIS w/PHP running) how can it run the PHP code?

[timber2005]

Not your computer

Its being run on the server to open exploits when the user downloads an image.

[holdencaulfield]

unlikely . . .

From the article: "When users download the image to view it, the server parses the PHP code and the exploit is executed, as it serves the image to the user."

So, in other words, it's being run on the server, not on the client end (more details at http://isc.sans.org/diary.html?storyid=3003). It's a bi of a stretch to be found in the wild, as the server has to be configured to handle files with extensions of .gif as PHP files. Not unheard of, but also not very common . . .

[drmeister]

story is ridiculous

PHP doesn't execute image files. It's only going to be if the name is image.gif.php or some other code is referencing. This story is ridiculous. Server is not going to execute an image file when someone browses to a site

[anonymous8675309]

Bad Article Title

PHP code isn't planting itself anywhere.
Some hacker put PHP code in the GIF and uploaded it, it isn't propagating itself like the title suggests. Anybody with half a brain who reads that tiny article would know that.
Shame on you CNET.
Now look at all these guys replying comments to this story who are confused...its all your fault.