Re: [tlug] Clamav reports a virus: Exploit.Gif.PHPembedded

[dave@example.com]

"Edmund Edgar" <lists@example.com> writes:

> 2008/6/5 Hung Nguyen Vu <vuhung16plus+shape@example.com>:
>> If "he" wants to execute "php freebsd.jpg" he need a shell first.
>
> Correct. Putting it in the jpeg gets the hostile code onto your
> server, but the attacker still has to do something so that the PHP
> program executes it.
>
> Change the name of your jpeg file from freebsd.jpg to freebsd.php, then go to:
> http://aoclife.ddo.jp/tmp/freebsd.php.
>
> ...an attacker wouldn't usually be able to upload the file with the
> extension .php in the first place.  As previously, they'd need to find
> another vulnerability somewhere to persuade the PHP program on the
> server to run the file.

I think tricking a PHP script into include-ing the malicious jpeg would
get it to run the embedded code. Including files based on parameters
passed in via URL seems to be a pretty common way for PHP apps to get
exploited.

Dave