[fuzzybunny]

I was thinking about this a while ago.

1) An image file has a code that says "this is where the image stops"
2) If you could add code to the image after the stop code, the image would appear normally
3) Depending on what you added, the new image could be malicious
3)a- For example, when people view it in a browser, the added code could be javascript or html
3)b- Say you upload an image to a blog or whatnot. Whenever someone opens the page with the image, the image's code will be run.

Does this make sense to anyone else? It seems a little too simple to me, which would make me think it has already been discovered/used/patched.

[Night Crawler]

Nope, wont work. Pictures are pure data files, they won't get executed. Could be used to as a method to obscure hidden messages to someone that knows where to look, but then again there are better methods for that.

[Sorrow]

This was already asked multiple times before.
I suppose you mean something like that:

http://www.trickyinp....com/xsspic.jpg

This works in IE only. Furthermore, if you use this pic in an <img> tag, the javascript won´t fire. So only viewing the pic directly will do the job.

[raddmadd]

Night Crawler is right. You'd have to figure out a way to get an interpreter to read that code. I don't know how browsers render images, but think about how it works. The code that reads the image and displays it won't read Javascript. Nice idea though.

This post has been edited by raddmadd: 08 February 2010 - 04:16 AM

[DamegedSpy]

Actually someone made a logger in PHP with a 1x1 image(That is in reality code pointing to the real image)
http://66.93.224.121...tscount/cnt.php
Its not mine so you may ask him how it works. Also I am not sure this is going to be compatible with IP Board.
This is the author.

[Sorrow]

Dunno what that 1 pixel pic-guy says he did there. Maybe something similar to my pic? Yet, how can he use this pic in an image tag and how can he log via php?

[talwoasc]

You can do this:

<img src="image_script.php?image=1" />

And that will send off to the server, execute the script which could do whatever you want and then return an image similar to http://www.webcheats..._generation.php but with a payload.

[fuzzybunny]

bummer :-( doesnt seem to work like what I was going for. So if I have an image like so:

<start-------------------end>

and I move the end> forward:

<start-------end>---------

What happens to the rest of the data? Just ignored?

[talwoasc]

If your talking about putting javascript into images I think you can just open it up with notepad and append your code to the end as long as its less than 25bytes or something like that.
BTW: Doesn't work if you view it throgh the local file system (ie. C:\documents\image.jpg) so either upload it to a webserver or setup xampp or similar and view it through there using IE.