Is it possible to execute PHP with extension file.php.jpg?

Question

Site legit file image_upload.php was used to upload file 89471928047.php.jpg Which was simple file upload form that copy tmp file to same images fo

Answer 1

Your image_upload.php is insecure, check the following:

1. does it allow only image extensions? Otherwise it would be possible to upload directly a PHP file. (I think you're covered on this one, but double check).
2. does it check that the uploaded file is indeed an image? Here the answer is no, it doesn't check the contents. Add this check! With this single step you'd close the initial breach.

To check if it's an image you can run getimagesize on the file, it will return FALSE if it's not an image.

How is it possible to execute that file? First, how do you know it has been executed? Did you see side effects?

1. One way is that they could have tampered other files
2. A second way, perhaps more probable is that they used unsanitized inputs from your scripts to either include or eval the code. In this case you can find proof only by looking at the logs.

How to look at the logs?

Check the date and time of the uploaded file and start to look around there for suspicious activity (look at strange url parameters). Once you've find one or more IP address, doing evil things, grep the log for that (those) IPs, to see the whole story.

Another important info to know is, did you write the site or use a CMS or similar and in this case what is it and what version? You've to check published vulnerabilities and upgrade in case.