Can a GIF image file that has been altered to contain PHP exploit code execute? Lorna Hutcheson asks in a post on the SANS Diary:

It is a clever way to pass exploit code to others without it setting off alarms or attracting attention all while bypassing network security tools. Steve reported it to the Web site owners and now a quick check back of the site shows a completely different file with the same name there now. So who switched the image? The person who placed it there to begin with or the folks running the Web site?

The second idea, but completely untested at this point, is that PHP will ignore everything else and just look for its delimiters. Which means it would be a great method for an RFI attack.

Regardless, its interesting and scary to find a file that acts like a regular GIF file, but contains a script exploit. Nice catch Steve, thanks for passing it along!

Could PHP really be reading the code or is it an exploit in GD, ImageMagick, or another graphics manipulation library? This doesn’t make much sense to me.

[PHP Exploit Code in a GIF]

[tags]php, web design[/tags]