PHP flaw threatens photo uploads

PHP flaw threatens photo uploads

Summary: Photo hosting services that allow users to publish their digital pictures online are being threatened by a vulnerability in the PHP scripting language that could be exploited by a malicious image file.The flaw -- first discovered in February and patched by the PHP Group on Thursday -- could allow an attacker to crash a hosting company's server by uploading a unique image file that would consume 100 percent of the machine's processing power.

SHARE:
0
Photo hosting services that allow users to publish their digital pictures online are being threatened by a vulnerability in the PHP scripting language that could be exploited by a malicious image file.

The flaw -- first discovered in February and patched by the PHP Group on Thursday -- could allow an attacker to crash a hosting company's server by uploading a unique image file that would consume 100 percent of the machine's processing power.

Ian Latter, senior security consultant at Internet security specialist Pure Hacking, said if a server running a vulnerable version of PHP was attacked, it would crash. However, the weakness does not threaten users of the service.

"This is a vulnerability based around CPU exhaustion. It enables an attacker to create a specially-crafted image that would consume the CPU resources of the server that [the image] is being uploaded to. It would potentially hang or crash that service," said Latter.

Security Web site iDEFENSE, which posted an advisory about the problem yesterday, said the vulnerability exists "due to insufficient validation of JPEG image file headers in one of the language's functions".

According to the advisory, "the JPEG file header contains a file length field which may be manipulated to cause an infinite loop in the copying of file data to memory".

James Turner, security analyst at Frost & Sullivan, said that if the vulnerability is widely exploited, it is more likely to cause an inconvenience rather than pose as a serious threat.

"There is going to be a huge annoyance factor if these [photo] services go down. I can't see how the attackers could make money out of it," said Turner.

According to Internet monitoring site Netcraft, PHP is used by more than 18 million domains.

Topics: Security, Tech Industry

Munir Kotadia

About Munir Kotadia

Munir first became involved with online publishing in 1998 when he joined ZDNet UK and later moved into print publishing as Chief Reporter for IT Week, part of ZDNet UK, a weekly trade newspaper targeted at Enterprise IT managers. He later moved back into online publishing as Senior News Reporter for ZDNet UK.

Munir was recognised as Australia's Best Technology Columnist at the 5th Annual Sun Microsystems IT Journalism Awards 2007. In the previous year he was named Best News Journalist at the Consensus IT Writers Awards.

He no longer uses his Commodore 64.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

0 comments
Log in or register to start the discussion