There is a method of hacking php using a security flaw in php in how it handles exif meta data embedded in jpeg, png or gif images. You describe this as an EXIF injection attack. As a precaution it is a good idea to strip all EXIF information from any images that are uploaded to your website.
I have found these two tools really useful to do this and this is a quick outline of how we used them:
Removing EXIF meta data from .jpg on Ubuntu / PHP
There is a really good tool called exiftool. There is a version in the Ubuntu repositories – so it is super easy to install.
apt-get install libimage-exiftool-perl
You can then strip exif meta from a jpeg using the command:
exiftool -all= filename.jpg
So in php this would look like this:
$output = exec(sprintf("exiftool -all= %s", escapeshellarg($_image_path)));
Removing EXIF meta data from .png images on Ubuntu / PHP
The best tool for removing exif information from .pngs is Optipng. You can install optipng on Ubuntu from source using this recipe.
apt-get install optipng
and so again in php it would look something like this:
$output = exec(sprintf('optipng -strip all %s', escapeshellarg($_image_path)));
I hope this helps someone.