I'm a member of a PHP based forum. I recently found a serious JavaScript injection vulnerability in the forum software, that has now been patched by the software developers. After the most recent patch, they re-enabled GIF profile picture uploads. What worries me is that the image isn't resized or sanitized / stored as a Base 64 encoded image string, and the user can actually specify a URL to copy the image from.
I'm working with the forum owners to try to ensure the most recent software release is as secure as it can possibly be. If a user attempts to upload a GIF from a url that redirects to a PHP file (with appropriate headers set), is there any way a user could either break the PHP file uploading script, or inject their own PHP script into the uploaded GIF image?
The image is renamed, and none of the EXIF data is used on the forum software. I know that you can edit certain image files to inject JavaScript or PHP into a page when the pages script attempts to read the EXIF data, but that's not an issue here. I've also seen examples of images that break upload scripts when they're resized, which I don't believe to be an issue here either.
Is there anything to worry about with their current method? The one thing I'm unsure of is whether a user could affect the file upload script by redirecting a .gif image to a malicious .php script.
EDIT: I've also heard examples of HTML or PHP being disguised as .GIF files, that (depending on server operating system) can then be viewed / executed. I guess this would require making an HTML / PHP file with the same amount of bytes as the GIF image would take up on the servers file hosting?
Thanks.
Dan.
