Can a GIF/JPEG file contain runnable PHP code?

Question

Testing a web application, I can upload GIF/JPEG files and I know there is a possible threat when including PHP Code properly in that GIF/Jpeg (because it is modified using

Answer 1

I'll answer myself for the jpg link file containing PHP code execution, but if someone else provide a more complete answer, I'll offer the accepted check ;)

Here's a link to a "compromised" JPEG file containing PHP exploit code (phpinfo)

(don't worry, the file won't do anything to you)

Moreover, it's important to notice that even if you succeed into uploading a gif file containing php code, if that gif file is read as gif (and not executed as php, via include/require, or a badly configured server), it won't do anything, just have php code on your server, useless.

So in order for this attack to work, you need to have two conditions :

1. The website must use a fileupload at some point that you can access
2. The files stored must be executed via PHP, even the image files (in that case).

Although the 1. is quite easy to have, the second is near impossible nowadays. The default configuration for PHP is to run the PHP interpreter only for .php files, either using NGinx, Apache, Lighttpd, etc.

In conclusion, this vector of attack is really low in probability of success.