Photos that end with a PHP extension

[Milwaukee Reptiles]

Hey guys, I have a number of photos which (due to dynamic resizing and watermarking) end with a .php extension (returns all the proper JPEG headers). Unfortunately, using the [ IMG ] tag only shows a link without embedding the photo the same way a .jpg does. I was wondering if it's possible to allow it to include these photos in posts. Thanks

 

[Milwaukee Reptiles]

Ryan?

 

[Marc118]

I think If they did that the board would be vulnerable to malicious PHP functions via image upload.

 

[o0 Ryan 0o]

Yeah, I asked a few people about this. HTML and PHP are disabled for the reasons Marc mentioned. I know you would be using it appropriately, but allowing the PHP extension to be uploaded may set us up for something bad later. I'll double check the VB forums and make sure there isn't something we can implement.

 

[Milwaukee Reptiles]

I wasn't actually looking to upload the php, as that would (I agree) be a security risk as it's executing on your server. Was I was looking for was the remote image embed.
so that I could do [ img ] http://www.milwaukeereptiles.com/getPhoto.php?AnimalID=Sierra&PhotoID=5&Size=600x450 [ /img ]

Edit: I'm assuming the VB scripts would be smart enough to detect if a non-image is being returned. My script uses the php command "header("Content-type: image/jpeg");" to properly ID the response as an image.

 

[Gary Orner]

Allowing dynamic images can leave a huge hole in the board. Allowing a persn to upload a PHP or Perl script to the upload folder here. But the owners could not tell which file is doing it and they would have to delete every pic in the upoad folder.


HTML is not that bad. But still if you are not careful a few can do a few things.

My server was attacked last nite from a board that was not updated. The client did not think anything of it. I had to help them fix their board so I could fix the server that their site was on.

If you have a pic that is dynamic. Save to yourPC as a .jpg, .gif, or bpm then upload to here.

 

[Gary Orner]

Also the scripts that are within the .php photos are hidden. And there is no way for the script of VB to detect it. The bad script will even have a nce photo with it.

 

[Milwaukee Reptiles]

Again, I'm not looking for it to do anything with the script but embed a tag.

all i want is for the forum to convert [ IMG ] rhacs.com/getphoto.php [ /IMG]
to < img src="rhacs.com/getphoto.php" >, so the image displays inline (similiar to allowing HTML, but without all the iframe and JS security issues). Currently the board sees .php as a non-valid image extension (it's not looking at the image itself), and converting it to a link instead. To be clear there is not anything ever executing on this server (it's all done on mine and apache serves up a regular JPEG image). I could understand how UPLOADING the image to your server could allow for remote execution, but I'm not sure how a script on my server could possibly execute here using the <img> tag. I'm not looking to upload it to the photo gallery or anything, just to inline the image with my forum posts.

here's an example of what I want:
[ img ] http://www.milwaukeereptiles.com/photos/Sierra/5_200x200.jpg [ /img]

And here's what happens:
[ img ] http://www.milwaukeereptiles.com/getPhoto.php?AnimalID=Sierra&PhotoID=5&Size=200x200 [ /img ]

 

[Gary Orner]

They are not saying you are going to. But if they open that up others could. Allowing the .php to be posted or uploaded here will open a hole in the server.

Research the last few IPB and PHPBB "hacks"


So they are not saying you will do this.

Lets say they allow the forum to parse the extention .php. I then could wright a PHP script that is hiddin within a image. Uplad it to my server. Then hot link it here. using the

 

[Gary Orner]

And again I know what you are looking for. But why post a that here. Why not use the gallery here or upload it to your server as a jpg or gif. If you own the server or even a hosted package this would not be an issue.

The protection against the people that would do bad things is important to the DB

 

[Milwaukee Reptiles]

Wow I guess I assumed it wasn't possible via hotlinking.

My apologies for being ill-informed on the matter.

Out of curiosity, wouldn't is then be possible for any hot-linked image to have this, if it's hidden in the image itself?

 

[Milwaukee Reptiles]

The images are place on my server (shared hosting plan), but I use the php script for dynamic watermarking/marking as sold/placing on hold so I don't have to go through the hassle of doing it manually. Plus, it helps protect my high-res images as they are not in a publically-accessible location, but still on the server as a backup. I have no problem uploading them here, but if the image is already on my server it's just kind of a hassle to re-upload it.

If you can use apache's mod_rewrite to make any php script look like a .jpg (see example below), wouldn't it be impossible to prevent this sort of attack?

using "RewriteRule test/5.jpg$ http://www.milwaukeereptiles.com/getPhoto.php?AnimalID=CG-007&PhotoID=15&Size=600x450" in my .htaccess file

 

[Gary Orner]

A php or perl script will not run on a pic with the extention .jpg or any other image extension. But it can run in the extension .php it all has to do with the way it is parsed. php is server side and HTML is browser side hense the reason different browsers see different colors.

 

[Milwaukee Reptiles]

A php or perl script will not run on a pic with the extention .jpg or any other image extension

Not true. If the apache server is using mod_rewrite to redirect your request from a .jpg to a .php, there is absolutely no way to know that.

What I'm saying is that if headers are properly returned, I can create a JPG image from a php script, as seen by my getPhoto.php script on my server. I can, however, use apache's mod_rewrite functionality to make it APPEAR to call test/5.jpg, but in all actuality it is simply forwarding your request to getphoto.php?id=5.

The point is, embedding a jpeg image hot-linked to a third part site is just as unsafe whether it is a .jpg or a .php. if you put a php image link into the actualy OUTPUT HTML, there is no way for it to execute on THIS server.

<img src="rhacs.com/getphoto.php"> and <img src="rhacs.com/5.jpg"> would both be execute on MY server, so they would not be running on this server, and thus, are equal in terms of security risk.

I'm not talking about executing ANYTHING on the GF server. I think you're confusing me wanting to do something like a <?php include?> statement or soemthing, when I'm strictly talking about allowing an <img> tag without restriction to the extension, which is no more of a security risk than doing <imc src=5.jpg />.

Actually, now that I think about it, I don't need this server to change at all. I'll use my .htaccess file to simply do a mod_rewrite to make the path end in .jpg, but have it internally redirect to my php script.

 

[nora]

ok im kinda going off topic here for a second... but what's with people (in general) using dynamic/water marking? i've always wondered about that.......

anyway..i in a nut shell in regards to brian's "info request".. can't mix and match php extentions with html language... =)

 

[Milwaukee Reptiles]

ok im kinda going off topic here for a second... but what's with people (in general) using dynamic/water marking? i've always wondered about that.......

I'm not sure what you mean?

anyway..i in a nut shell in regards to brian's "info request".. can't mix and match php extentions with html language... =)

Yes you can, what I am talking about here is no different from linking to a site that has a php extension. What you can't do, is embed php into html and expect it to execute. but you can 'link to' an image served by another server.

My script is:
http://www.milwaukeereptiles.com/getPhoto.php?AnimalID=Sierra&PhotoID=6&Size=600x450

If I do
<img src="http://www.milwaukeereptiles.com/getPhoto.php?AnimalID=Sierra&PhotoID=6&Size=600x450"> nothing is actually executed on this server (assuming it would convert it to an actual IMG / HTML tag). As far as this server is concerned, it's equal to doing <img src="http://www.milwaukeereptiles.com/myimage.jpg">. It's my server that executes the PHP script and returns an image to the client browser.

 

[Gary Orner]

But that would com back as a dynamic image......................... just a heads up

 

[Gary Orner]

Lets see if I can explan this a little better.

They know you are not going to do anything. See they already know this. But they do not know what joe blow is going to do. That is why many places will not allow dynamic images.

You do seem like you want to go through a tons of trouble to get these dynamic images up here though. When it would be fairly easy to just use the gallery here or upload them onto your site as a jpg.

See when you upload an image to here or many other forums you get the smae image extensions as you have. But if you take a pic that is uploaded here using the thread upoad and try to post it on my site it will not allow it. WHY. It is a dynamic image.

I still am not sure what the big deal is. Uplaod the pics here. Or upload them where they can be viewed here. Or post a link to your gallery.

 

[Milwaukee Reptiles]

I fully understand them not wanting to, and I'm prepared to let it go. It's just a lot easier for me to upload them to my own webspace, and have the site automatically watermark, resize, and secure them. As a software engineer/web developer (perl mostly at work, php for my own projects), I was curious as to the reasons behind denying it, and the potential security risks.

I'll just add one mod_rewrite line to my .htaccess and make it appear as a jpeg, even though it will continue to be dynamically generated. It's actually the learning, understanding, and talking about the security issues that I'm more interested in than actually hot-linking it.

 

[Gary Orner]

What I could possible do for you is show you a script written to grab passwords or cookies. The biggest one that had things like this was PHPBB I want to say versions 2.x.x but what a person could do is upload an avatar that had the the script attached. Once the admin looked bam they had the cookie. They go into their cookie file and delete the old on and put in the new one.

another one is and this one is off the server and on theirs as you speak. A person tries to uplad a avatar or photo. It does not work and the person sends a PM to the admin saying look at my pic it will not load. th admin goes to the URL sees a pic but the script grabs their cookie.

Another one is access to the server via allowing the persin to use a PHP or PErl sript to upload to the servers TMP Directory. This is most often done by a script kiddie that wants to send out spam or use the server for DoS attacks.

Unless you own the server you will neer see this side though.

This is another reason why you should cap the size a upload pic can be. As most with scripts hidden are very large.

Then the hotlinked one acts as a retriever much like the above stuff. But mostly sits their and waits untill someone views it then it runs its deal