Is it possible to execute PHP with extension file.php.jpg?

by

Check your .htaccess file

Using AddType in your .htaccess file, you can add many other extensions from which PHP can be ran. This is generally how .html extensions can be used while still using PHP within themselves. So, yes, it’s possible:

AddType application/x-httpd-php .jpg

You can test this if you like.

  1. Create a directory with two files: .htaccess and test.php.jpg
  2. Set content of .htaccess to AddType application-x-httpd-php .jpg
  3. Set content of test.php.jpg to <?php echo 'foo'; ?>
  4. Access test.php.jpg through localhost

If all goes as planned, “foo” will be output to your screen. You could expand upon this to move /tmp files around if you like.

Definitely something you want to be very careful with.

Check exposed calls to include/require

Another way this could have been done is through a call to require() or include() (or any of the _once() methods) where by the hacker was able to load in his badfile.php.jpg file that had been uploaded under the guise of an innocent image:

<?php

  include $_GET["file"];

?>

In the above case (simplified example), the hacker could pass in a path to his .php.jpg file and have its contents loaded in and processed as PHP code.

Other (frightening) ideas

Require, Include, and their related methods aren’t the only ways you can process external scripts – unfortunately you can use eval() as well. I would hope that you have none of this going on though. If you did have any scripts on your server that were using any one of the file functions to read the contents of another script, and then eval() to evaluate that content as PHP, this could also provide a gaping security hole in your website.

More Related Contents:

  1. How can I secure my source code [closed]
  2. Are PDO prepared statements sufficient to prevent SQL injection?
  3. Is “mysqli_real_escape_string” enough to avoid SQL injection or other SQL attacks?
  4. Why would one omit the close tag?
  5. How to secure database passwords in PHP?
  6. Reference: What is a perfect code sample using the MySQL extension? [closed]
  7. The ultimate clean/secure function
  8. How to encrypt/decrypt data in php?
  9. Exploitable PHP functions
  10. Preventing Directory Traversal in PHP but allowing paths
  11. What is the best way to stop people hacking the PHP-based highscore table of a Flash game
  12. preventing csrf in php
  13. PHP image upload security check list
  14. Generating cryptographically secure tokens
  15. Which $_SERVER variables are safe?
  16. How to best store user information and user login and password
  17. What do I need to store in the php session when user logged in?
  18. PHP setcookie “SameSite=Strict”?
  19. Magic quotes in PHP
  20. Is it ever ok to store password in plain text in a php variable or php constant?
  21. What security issues should I look out for in PHP
  22. How do you set up use HttpOnly cookies in PHP
  23. Fastest hash for non-cryptographic uses?
  24. Best way to avoid code injection in PHP
  25. Using PHP/Apache to restrict access to static files (html, css, img, etc)
  26. Is it secure to store a password in a session? [duplicate]
  27. Secure and Flexible Cross-Domain Sessions
  28. What security problems could come from exposing phpinfo() to end users?
  29. Can a client view server-side PHP source code?
  30. Check if http request comes from my android app

Leave a Comment