ZDNet UK


Skip to Main Content

ZDNet.co.uk - Winner of Best Business Website 2007
  1. Home
  2. News
  3. Blogs
  4. Reviews
  5. Prices
  6. Resources
  7. Community
  8. My ZDNet

 

ZDNet UK RSS Feeds


IT Jobs

Security threats Toolkit

PHP exploit code found on image-hosting site

Dawn Kawamoto CNET News.com

Published: 21 Jun 2007 14:10 BST

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

Security researchers have found PHP exploit code embedded in a GIF on a major image-hosting site.

The exploit code slipped through the site's defences with the aid of a legitimate image at the beginning of the file, according to a blog post on the Sans Institute's Internet Storm Center.

"It is a clever way to pass exploit code to others without it setting off alarms or attracting attention, all [the] while bypassing network security tools," the blog noted.

Malicious attackers planted PHP-coded exploit script within an image file. PHP is often used as a programming language to create dynamic websites.

Once this type of malicious GIF is uploaded to a server, it can cause havoc by remotely allowing more exploits to be deployed on the system, said Johannes Ullrich, chief research officer for the Sans Institute.

When users download the image to view it, the server parses the PHP code and the exploit is executed, as it serves the image to the user.

Over the past six months, this type of technique has been occurring with increasing frequency, Ullrich said.

  • Email
  • Trackback
  • Clip Link
  • Print friendly Print with HP

Did you find this article useful?
14 out of 16 people found this useful


Talkback

Post a comment


Full Talkback thread

2 comments

  1. Why is the server parsing an image file? gurnaik
  2. Probably has to do with IMG SRC attribute! Thinkingman

Related Links

More In Security threats



Company/Topic Alerts

Create a new alert from the list below:






Related Jobs

Web Consultant- HTML, Java Script, SQL- Home based- Excellent

You will come from a software development background and will have strong experience with some/all of the following technologies: HTML, Java Script, ...

Script Developer.London. 40,000 - 50,000. Finance / Banking

Script Developer. London. My client are a market leading developer of trading and risk management systems for some of the worlds premier financial ...

Senior Web Developer APS.net, C#, CSS, AJAX, XHTML, Java Script To 40k

APS.net, C# and SQL 05 Essential Web Focus: CSS, AJAX/JSON, XHTML, Java Script and DOM scriptng. Huxley currently requires an experienced web ...

Featured Oracle Resources

businessfirst: Ideas to help small companies retain their successful entrepreneurial spirit

Oracle ONE Magazine: Technology solutions for midsized businesses February 2008 edition

Choosing a Reliable and Powerful IT Infrastructure at a Price You Can Afford

Database Consolidation: Reducing Cost and Complexity

Ensuring Data Protection for Growing Business

Oracle for medium and emerging businesses: protect, strengthen and enhance your organisation

Oracle partner network solutions catalogue

See All White Papers

Sentry Posts Blog

Mobile Linux Better For Mobile Busines...

Mobile Linux Better For Mobile Business Apps? Author: Eric Everson, MyMobiSafe.com As mobile Linux is carving it’s footprint on the future of mobile application development, the... More

Post a comment

DWP downplays security breach

The Department for Work and Pensions (DWP) has admitted that some of its staff have been forwarding passwords with password protected material. An email that was leaked on the 'Dizzy... More

Post a comment

How many headshots does one chairperso...

We got a strange request last week from the head of PR from Russian security experts Kaspersky. It seems although the company was very happy with the interview we recently carried with... More

Post a comment

Featured Talkback

On the contrary, if vendors were forced to stand behind their products it should increase innovation. It would force more, and better , testing before hitting the sales floor, resulting in fewer updates and less downtime for the consumer. At present the EULA removes responsibility from the vendor, and moves it to the user, which is a step backward. Make the vendor responsibility for their code.

By: ator1940

Read full story:
RSA: Vendor liability may stifle innovation