There is a method of hacking php using a security flaw in php in how it handles exif meta data embedded in jpeg, png or gif images. You describe this as an EXIF injection attack. As a precaution it is a good idea to strip all EXIF information from any images that are uploaded to your website.
I have found these two tools really useful to do this and this is a quick outline of how we used them:
Removing EXIF meta data from .jpg on Ubuntu / PHP
There is a really good tool called exiftool. There is a version in the Ubuntu repositories – so it is super easy to install.
apt-get install libimage-exiftool-perl
You can then strip exif meta from a jpeg using the command:
exiftool -all= filename.jpg
So in php this would look like this:
$output = exec(sprintf("exiftool -all= %s", escapeshellarg($_image_path)));
Removing EXIF meta data from .png images on Ubuntu / PHP
The best tool for removing exif information from .pngs is Optipng. You can install optipng on Ubuntu from source using this recipe.
apt-get install optipng
and so again in php it would look something like this:
$output = exec(sprintf('optipng -strip all %s', escapeshellarg($_image_path)));
I hope this helps someone.
Dear james
..it did help, at lot! Thanx for your post!
I used it on today on my Debian server on the command line to remove the EXIF data from JPG-files before they’ve been transferd to my webserver.
It’s cool that “exiftool” automatically creates a copy of the original file..
Regards from Switzerland,
Rapha