How to remove exif metadata from jpegs using php or command line

There is a method of hacking php using a security flaw in php in how it handles exif meta data embedded in jpeg, png or gif images. You describe this as an EXIF injection attack. As a precaution it is a good idea to strip all EXIF information from any images that are uploaded to your website.

I have found these two tools really useful to do this and this is a quick outline of how we used them:

Removing EXIF meta data from .jpg on Ubuntu / PHP
There is a really good tool called exiftool. There is a version in the Ubuntu repositories – so it is super easy to install.

apt-get install libimage-exiftool-perl

You can then strip exif meta from a jpeg using the command:

exiftool -all=  filename.jpg

So in php this would look like this:

$output = exec(sprintf("exiftool -all= %s", escapeshellarg($_image_path)));

Removing EXIF meta data from .png images on Ubuntu / PHP
The best tool for removing exif information from .pngs is Optipng. You can install optipng on Ubuntu from source using this recipe.

apt-get install optipng

and so again in php it would look something like this:

$output = exec(sprintf('optipng -strip all %s', escapeshellarg($_image_path)));

I hope this helps someone.

Leave a Reply