Home/ Questions/Q 1041521
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-16T15:21:55+00:00

My ad server has been hacked over the weekend. It seems to be a

  • 0

My ad server has been hacked over the weekend.

It seems to be a widespread problem, according to this article.

There is something in there that got me thinking…

Attackers used one attack to get login
rights to his server, and then
uploaded a maliciously encoded image
that contained a PHP script hidden
inside it, he said. By viewing the
image, attackers forced the script to
execute on the server

How is this possible? Does it rely on the image being opened with GD or similar? Do they upload a script posing as an image, and somehow include it?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    It can be as simple as uploading a file like

    GIF89a<?php
echo 'hi';

    If your upload script tests the content type via fileinfo or mime_content_type() it is recognized as “GIF image data, version 89a” since GIF89a is the only pattern/magic number that is required to identify a file as gif.
    And the OpenX upload script apparently kept the proposed filename, i.e. it was possible to save this “image” as foo.php on the server. Now, if you requested that file via http://hostname/uploaddir/foo.php the script was executed as a php script because webservers usually/often determine the content type only by the filename extension, e.g. via

    <FilesMatch "\.php$">
    SetHandler application/x-httpd-php
</FilesMatch>

    php then echoes the leading GIF89a and executes the <?php ...code... block.
    Putting the <?php block into a gif comment is slightly more sophisticated but basically the same thing.

    • 0