!!! Extension-only validation is insufficient - polyglot GIF files with embedded PHP pass validation

[hryvinskyi]

The current validation in this module checks only the file extension against a whitelist (jpg, jpeg, gif, png). It does not inspect file content for embedded PHP code. This means a polyglot file (valid image header + PHP) will pass validation and can be stored on the server with executable PHP inside.

Why this matters

While this module correctly prevents files with dangerous extensions (.php, .phtml, .phar) from being uploaded, the uploaded .gif/.jpg/.png files can still contain executable PHP code. If any Local File Inclusion (LFI) vulnerability exists in Magento core or a third-party extension, such as an unsafe require_once($userInput), the attacker can execute the embedded PHP code.

This is not a theoretical concern. Real-world attacks have been observed on one of my client using exactly this pattern:

1. Upload a file like payload.gif containing GIF89a;
2. The file passes extension validation and MIME detection (image/gif)
3. Exploit an LFI vulnerability to require_once the uploaded file
4. Full remote code execution achieved

Even with nginx rules restricting direct PHP execution to specific files (e.g., only index.php, get.php, static.php), the code executes because require_once/include operate inside the already-running PHP process, they don't go through the web server.
I don't found the core LFI vulnerability, but client site doesn't have a lot of custom or third party modules.

Proof of Concept

<?php
// Create polyglot GIF with embedded PHP
$gif = "GIF89a;<?php file_put_contents('/tmp/pwned.txt', 'EXECUTED'); ?>";
file_put_contents('/tmp/test.gif', $gif);

// Verify it looks like a valid GIF
$finfo = new finfo(FILEINFO_MIME_TYPE);
echo $finfo->file('/tmp/test.gif'); // Output: image/gif

// Verify it passes extension check
$ext = pathinfo('/tmp/test.gif', PATHINFO_EXTENSION);
echo in_array($ext, ['jpg','jpeg','gif','png'], true); // true

// Execute via require_once (simulating LFI)
require_once '/tmp/test.gif';
// Result: /tmp/pwned.txt is created — PHP code executed successfully

Test output:
MIME type detected: image/gif
Extension-only validation: PASSED (allowed)
PHP code inside .gif was successfully executed via require_once.

Recommended fix

Add content-level validation to reject files containing PHP code. Magento's patched ImageContentValidator (in recent security patches) already does this:

References

• Adobe Security Bulletin APSB25-94
• OWASP — Unrestricted File Upload

[hryvinskyi]

Here are the patches for Magento 2.4.6/2.4.7/2.4.8 with this issue fixed
https://gist.github.com/hryvinskyi/5557bd641d8f61005d68202c66cf228e

These are changes from magento/magento2@796c4ce integrated for all Magento 2.4.6/2.4.7/2.4.8 versions

[markshust]

I don't have time to work on this at the moment, but willing to take in a PR

[briangmoore77]

@hryvinskyi is is possible to get a 2.4.5-p16 version?

[hryvinskyi]

@briangmoore77 it should work for 2.4.5-p14; I haven't been able to check it for 2.4.5-p16.