I found a PHP script in a GIF file

Question

Is it possible for a PHP script to be inside a GIF file? I found one when I opened a .gif file in notepad++.

Answer 1

Posting the PHP code would be helpful in determining the intent of the script. While, as most of the commenters pointed out, there might be a benign explanation to it I still would not rule out less innocent shenanigans going on.

The benign case: the script is indeed meant to output a GIF image and you got the code instead because of a server misconfiguration. This could happen if:

1. the author mistyped the instruction in the .htaccess file to treat either all GIFs or this particular file as PHP
2. the webmaster overwrote the .htaccess with one lacking said instructions
3. the server administrator dropped an AllowOverride none into his httpd.conf disabling all userspace personalizations

I would look at the type of functions used in the code. This being supposedly a GIF file, I would expect the script to end with an imagegif($img) instruction or such, maybe followed by imagedestroy($img). If this is the case the script seems likely to be meant to output GIF images to the browser.

The evil case: somebody uploaded a bunch of hacker stuff masqueraded as a GIF, expecting later to launch it using any method that can give him access to the command line: an unprotected eval(), a hole elsewhere in the server or even a vulnerability in a totally unrelated daemon running on the same machine. His advantage in this case would be that the script would be stored in a known location derivable from the server root. There are scripts out there that include complete file managers and sets of utilities in a single package - just for the purpose of making havoc. Again, look at the source: if it starts with a shebang (something like #!/bin/php /usr/htdocs/myfakeimagefile.gif) it's definitely meant to be run from the command line. Lack of shebang doesn't however imply it can't be run as a script: as long as one knows where PHP is, where the script is and can access a command prompt can probably launch it anyway.

Answer 2

You can convert to "bmp" format and back - to clean up scripts inside meta data of your uploaded images. Bmp does not have metadata but do have alpha transparency and 100% quality. In PHP you can use imagick class:

/*
Cleanup injected scripts from imagick object "$insecure", making object safe next manipulations.
*/
function MakeImageSafe($insecure) {
  global $configuration,$dic,$smarty;
  $ImageMETAFormat=strtolower($insecure->getImageFormat());
  $ImageMETAName=$insecure->getFilename();
  //convert to bmp to remove injected php/js... and
  if($ImageMETAFormat!="gif") {
    $insecure->setImageFormat("bmp");
    $insecure->writeImage("{$configuration['tmp_path']}/{$ImageMETAName}.bmp");
    //get secure image
    $original=new Imagick("{$configuration['tmp_path']}/{$ImageMETAName}.bmp");
    //delete temporary bmp
    unlink("{$configuration['tmp_path']}/{$ImageMETAName}.bmp");
  }
  else {
    // convert each frame in animated gif and recreate the gif
    $original=new Imagick();
    foreach($insecure as $frame) {
      $frame_delay=$frame->getImageDelay();
      //get timing
      $frame_page=$frame->getImagePage();
      //get offsets and geometry of the frames
      $frame->setImageFormat("bmp");
      $frame->writeImage("{$configuration['tmp_path']}/{$ImageMETAName}.bmp");
      $safeframe=new Imagick("{$configuration['tmp_path']}/{$ImageMETAName}.bmp");
      $safeframe->setImageDelay($frame_delay);
      $safeframe->setImagePage($frame_page['width'],$frame_page['height'],$frame_page['x'],$frame_page['y']);
      $safeframe->setImageFormat("gif");
      $original->addImage($safeframe->getImage());
      unlink("{$configuration['tmp_path']}/{$ImageMETAName}.bmp");
    }
  }
  //return safe object
  return $original;
}

Most image hosting websites allow scripts inclusion in images: eg: flickr, livejournal, or convert image to some bad format like jpeg - eg: google, etc. This script fixes this issue. Your comments are welcome! :) Cheers, Matt.

Answer 3

Most image formats have segments where the author can store some comments or other information that are not the actual image data.

If you store some PHP code in such a comment segment, upload it to a server as .php and the server just checks for valid image data (like the getimagesize function does), it’s being accepted as a valid image. But when it’s requested, the PHP code inside the comment segment is executed.

Answer 4

Finding php in a gif file could indicate someone is trying to attack you're server. This is an interesting read about secure file upload and php.

Answer 5

You could always use mod rewrite to change the file extension if thats what your getting at?

Answer 6

As a SysAdmin when I find PHP scripts with image extension (.gif, .jpg, .png) it usually means that somebody broke into a PHP Application and is hiding malicious code inside that file.

Their code can be executed by calling the PHP CLI or just by including the file from any other PHP script. Remember that include and require don't really care about the file's name. The latter is the most common case I've seen.

You would need to check the code itself and see what it does. Don't run it, read it first.

Answer 7

Actually, there are a couple of things that are possible (and commonly used for things like hit counters.)

Consider this:

<img src="myPicture.php" />

myPicture.php might look like this:

<?php
// Use PHP's GD image libraries.

// Create the image
$my_img = imagecreate( 200, 80 );

// set image attributes

// Set the header to indicate we're sending image data, rather than ASCII
header( "Content-type: image/png" );

// Output the image
imagepng( $my_img );

// cleanup
?>

So, the output of your PHP script is not ASCII text (or HTML), it is the binary of a .png file. Thus the header() is set to indicate this, and the imagepng() functions shown actually output the raw PNG image data. (example lifted from here).

Another option, which others have mentioned involves a "normal" image tag:

<img src="myPicture.png" />

Notice this ends in ".png". In this case, the web server would have to be configured so that it parsed not only .php files as executable PHP code, but also .png files. Your code would look the same, but it would be wrapped in "myPicture.png" rather than ".php".

Answer 8

I've seen this done (although usually with the .jpg extension) for serving images from a database...

Assuming your using apache, you just have to tell apache to process that specific file as if it were php.

Answer 9

technically yes. one example of this use might be a server wanting to hide the true source of an image and maybe do some throttling (like those image shack -- this image has been viewed too many times today messages)

The situation would require apache to make php handle the gif file extension. the php inside the file would then do whatever checks were desired, and then send the headers for image/gif mime type, file size, etc, and then output the file with file_get_contents (or similar method)

Answer 10

It was probably a server-side PHP script with the .gif extention that served a dynamic gif image to clients. The server is just configured to execute .gif files as PHP scripts (or, more likely, just that specific .gif file).

This is fairly common. You'll find it in websites that have dynamic images.

Answer 11

The file extension doesn't need to be the same as the file contents, so yes it's possible to save a text file or PHP file with the .gif extension. It won't (usually?) show as an image in a browser or other application, and nor is it likely to run as a PHP file on a web server unless the server has specifically been configured this way.

The benefits of doing this aren't clear to me unless it's used as a sneaky way to try and execute PHP code via an image upload form, where the server has been configured to execute .gif files as scripts (i.e. any extension goes).