View Issue Details

IDProjectCategoryView StatusLast Update
0017460phpList 3 applicationSecuritypublic22-08-18 17:35
Reporternelsonmct 
PrioritynormalSeveritytrivialReproducibilityalways
Status resolvedResolutionno change required 
Product Version3.0.8 
Target VersionFixed in Version 
Summary0017460: Code in admin/image.php Appears to be Malicious
DescriptionThe code in the title file does not pass the suspicious test for our hosting service, MediaTemple, in the US. They shut down our website because of this file.
Lines 19 -21 read

  echo base64_decode($row["data"]);
} else {
  header("Content-Type: image/png");
  print base64_decode('iVBORw0KGgoAAAANSUhEUgAAAAEAAAABAQMAAAAl21bKAAAABGdBTUEAALGPC/xhBQAAAAZQTFRF////AAAAVcLTfgAAAAF0Uk5TAEDm2GYAAAABYktHRACIBR1IAAAACXBIWXMAAAsSAAALEgHS3X78AAAAB3RJTUUH0gQCEx05cqKA8gAAAApJREFUeJxjYAAAAAIAAUivpHEAAAAASUVORK5CYII=');

Is there another way to accomplish the task without using the base64_decode() function?

Have others reported a problem with this file?
Steps To ReproduceN/A
Additional InformationIt was necessary to remove the file for the host to restore the website.
At that point the file was uploaded again with an upgrade from 3.0.5 to 3.0.8, but the image.php file is EXACTLY the same.

The only long term fix is to change hosts. That is not a happy solution. The rest of the website is fine.
TagsNo tags attached.

Activities

nelsonmct

08-10-14 17:50

reporter  

image.php (796 bytes)

michiel

08-10-14 17:57

manager   ~0055353


why not look at the image. It's the representation of a pixel.

nelsonmct

08-10-14 18:38

reporter   ~0055359

Are you suggesting that the file image.php only produces a single pixel?

If that is the case, can the admin/image.php file be removed without affecting the function or performance of the program?

If removed will an error occur? Or if the file is needed, can the base64_decode() function lines be removed without a problem? Or if that is a problem, can the base64_decode() function lines be changed to simply print a clear pixel image, so as to remove the scary code?

michiel

08-10-14 18:52

manager   ~0055361

the image.php file will return the image from the database. This image is stored with base64 encoding. If the image cannot be found, it will return a 1x1 pixel, so that there is no "broken-image" displayed.

You can safely remove the file. The impact will be that images are not displayed in the backend when you upload them to your newsletter. That won't affect the sending of newsletters.

michiel

08-10-14 18:53

manager   ~0055362

or alternatively you can tell your ISP to stop being paranoid about a base64 encode pixel.

nelsonmct

08-10-14 21:38

reporter   ~0055372

We no longer live in the age of Aquarius, but in the age of Paranoia. I forked the code as follows:

  echo base64_decode($row["data"]);
} else {
  header("Content-Type: image/gif");
  print ("<img alt='' src='../images/dot_c.gif' width='1' height='1'>");
}

I put a one pixel clear image in the /admin/images/ folder by the name " dot_c.gif ". I think that replaces the paranoia-inducing code with something that looks completely benign but accomplishes the same objective.

Thank you for working with me on this.

michiel

08-10-14 21:46

manager   ~0055373

that won't work. The "Content-Type" tells the browser that what follows is an image.

Instead what follows is a snippet of HTML that points to an image.

You have to realise that this is already used in the HTML:

<img src="/image.php?id=X">

So it cannot return text or HTML.

Instead, if you want to remove the encoded pixel, Just remove the whole else part. The coding to create a "non-broken" image dates from the time when we made things to work with Netscape 2 and Internet Explorer 6. Remember, phpList is more than 10 years old. Those browsers used to display a red cross for an image that was wrong. Today browsers don't do that any longer.