php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #69002 Possible to bypass getimagesize
Submitted: 2015-02-07 07:53 UTC Modified: 2015-02-07 10:10 UTC
From: king4aol at gmail dot com Assigned:
Status: Not a bug Package: GetImageSize related
PHP Version: Irrelevant OS: Any
Private report: No CVE-ID: None
 [2015-02-07 07:53 UTC] king4aol at gmail dot com
Description:
------------
According To Documentation
" The getimagesize() function will determine the size of any given image file and return the dimensions along with the file type and a height/width text string to be used inside a normal HTML IMG tag and the correspondant HTTP content type. "

Many developers just relay on this function while uploading images. As it is stated that it will also provide content type. And just check extension at client side. But it is very easy to bypass this function and execute commands.

Test script:
---------------
For the test purpose i use gifsicle utility for adding comments into a GIF.
Command
"gifsicle -c '<?php ?>'" anygif.gif > phpgif.gif"

Then while uploading change extension to .php with burpsuite or any other and you had successfully uploaded your shell. getimagesize won't check file extension that's why many websites are vulnerable due to some noob developers and failure of this function. 
I am reporting this to you after compromising security of many websites and i had help them to secure their system.   


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-02-07 10:10 UTC] requinix@php.net
-Status: Open +Status: Not a bug
 [2015-02-07 10:10 UTC] requinix@php.net
Sorry, but your problem does not imply a bug in PHP itself.  For a
list of more appropriate places to ask for help using PHP, please
visit http://www.php.net/support.php as this bug system is not the
appropriate forum for asking support questions.  Due to the volume
of reports we can not explain in detail here why your report is not
a bug.  The support channels will be able to provide an explanation
for you.

Thank you for your interest in PHP.

getimagesize() merely provides information about an image. It does not, nor does it claim to, perform anything resembling validation beyond what is strictly required to derive the information it seeks.
Anyone relying on it for complete validation of a file is abusing it at their own risk.
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Thu Jul 18 17:01:26 2019 UTC