PHP code injection on exif data

danjde · 11-03-2016, 04:20 AM

Hi friends,
as described here
seem that malicious script can be stored on exif data and so make any problems to own web server image files.

Do you know if is it possible to scan directory and subdirectory for searching bad and dangerous images exif data?

Many thanks!

unSpawn · 11-05-2016, 04:45 AM

Quote:

Originally Posted by danjde

malicious script can be stored on exif data

Please note the EXIF entry is just a text string in an otherwise inert file.

Quote:

Originally Posted by danjde

and so make any problems to own web server image files.

It isn't really "malicious code" until it can be exploited by either PHP-related or client code that misinterprets EXIF data.

Quote:

Originally Posted by danjde

Do you know if is it possible to scan directory and subdirectory for searching

Very crude example to illustrate a simple file search:

Code:

find /path/to/directory -type f -printf "%p\n" | while read ITEM; do file -i "${ITEM}" | grep -q -m1 ':.image/jpeg;' \
&& { echo "# ${ITEM}:"; cat "${ITEM}" | exiftool - | egrep -aie "(\(|\)|\[|\]|\+|\;|\=|\")"; echo ; }; done

Quote:

Originally Posted by danjde

bad and dangerous images exif data?

The problem is that if you run the above on a directory containing images you'll get a lot of False Positives because there's nothing in between to determine if the contents of a string is malicious or not. So the easiest best way is to remove all EXIF data if you're sure your software doesn't require it.

danjde · 11-05-2016, 10:50 AM

Waw!! Very clear explanation whit useful code example! ;-)

Quote:

Originally Posted by unSpawn

[..] So the easiest best way is to remove all EXIF data if you're sure your software doesn't require it.

About this point, what do you think about traditional cms systems and its gallery applications about exif data?
Could be useful delete all its images exif data? I think this could generate another kind of problems.

And so, ideally, we should be able to delete only "extra exif data". But how mark "extra" certain types of exif data?

..mumble ..mumble.. :-)

unSpawn · 11-05-2016, 09:51 PM

Quote:

Originally Posted by danjde

what do you think about traditional cms systems and its gallery applications about exif data?

I don't know much about "traditional" CMSes (and for deities sake let's not discuss the ones calling themselves "modern" ;-p) but in general EXIF data gets inserted by the device so by default you should get something like device vendor, image resolution, date and time, location etcetera. (That doesn't mean you can't add ownership, copyleft and such.) Most common usage for plain old web logs and e-commerce CMSes would be to use EXIF data to say rotate a picture so it displays correctly and that's about it (check the documentation).

Quote:

Originally Posted by danjde

Could be useful delete all its images exif data? I think this could generate another kind of problems.

Like what for example? Either way CMS / plugin documentation should show what's required?

Quote:

Originally Posted by danjde

And so, ideally, we should be able to delete only "extra exif data". But how mark "extra" certain types of exif data?

The problem isn't in certain "extra" types but 0) that any EXIF, IPTC (and XMP) data fields are just strings that can be manipulated by exif, exiftool and other editors and 1) that rule #1 (or #0, should you wish to count properly ;-p) of safe coding is to not ever trust user-supplied input.