Interesting new hack in the wild – embedding PHP (or other*) code inside an otherwise valid image file. And why would anyone do that? Think of a site that allows users to upload avatars or icons or other images, then displays those images back to the public. If the site isn’t taking sufficient precautions during the upload and display stages, a hacker could create an image file with PHP embedded in the byte stream, then name their file
myfile.gif.php. A site that then sloppily displayed whatever images were uploaded to it would then display the image inline, and its embedded code would be executed.
The kicker is that even if your site is doing common checks to verify that it’s dealing with a standard image file, such as running the getimagesize() function on it first, those tests may yield a false positive, since the first n bytes check out just fine. You need to verify the filename extension as well, and not serve images from a directory that’s PHP-interpreted. Other suggestions in the article at PHP Classes.
* There’s no reason this same hack wouldn’t work with .ASP or .NET or ColdFusion sites as well, or with image formats other than GIFs.