Testing a web application, I can upload GIF/JPEG files and I know there is a possible threat when including PHP Code properly in that GIF/Jpeg (because it is modified using imagecreatetruecolor and imagejpeg).
I was looking for an existing GIF file containing a simple PHP code (like phpinfo or echo ‘hello world’) just to validate that the threat was concrete.
What would be perfect is a specifically crafted GIF image containing PHP code in the middle OR in the palette color, but I was unsuccessful to find one.
I’ll answer myself for the jpg link file containing PHP code execution, but if someone else provide a more complete answer, I’ll offer the accepted check 😉
Here’s a link to a “compromised” JPEG file containing PHP exploit code (phpinfo)
(don’t worry, the file won’t do anything to you)
Moreover, it’s important to notice that even if you succeed into uploading a gif file containing php code, if that gif file is read as gif (and not executed as php, via include/require, or a badly configured server), it won’t do anything, just have php code on your server, useless.
So in order for this attack to work, you need to have two conditions :
Although the 1. is quite easy to have, the second is near impossible nowadays. The default configuration for PHP is to run the PHP interpreter only for .php files, either using NGinx, Apache, Lighttpd, etc.
In conclusion, this vector of attack is really low in probability of success.