More than that; the trigger code can sit passively and just check the cache for whatever payloads may come its way.

I suppose image sanitizers come soon to browsers. Only sanitized images will be cached; anything the browser can't make sense of will be thrown away.

Do you mean steganography?

Isnt this the principle behind synthid?

GitHub star farming, I'm guessing?

More than that, you need to check the file is a valid image, not just the mime type. I remember a host that let me upload an aspx file as a jpg and it allowed me to execute it and browse their entire file system until I found the SQL Server and network administrator passwords in a text file.

The passwords were both "internet".

For server implementations that aren't braindead, that is indeed the important bit. Computers don't inherently know how to run PHP. If the request handler doesn't look at the file extension to decide whether or not to pass the contents to the PHP interpreter (if PHP is even installed on the system), then image.php isn't going to run any PHP.

I'm not sure if this is exactly what you're referring to, but apparently years ago there were exploits bundling JAR files into GIFs to sneakily have them executed by the Java browser plugin: https://en.wikipedia.org/wiki/Polyglot_(computing)#GIFAR_att...

if anything i would use EXIF data to enhance stego.

generally its the JPEG standard that allows the payload, manipulation by abusing EXIF is how you operate the exploit.

there is a 64k file segment specified for JPEG, and you can abuse it to hold any "data" you want, as well as extending to other segments, for more storage.

the raw steganography in most primative form is a comparison of two photos, one of which is pixelshifted to encode the data.

in advanced form, the pixels hold the encrypted data, but the application segments of the JPEG hold keys and or matrix values, and you need a reference image. you can move fairly large volumes of ASCII representation like this before its noticed

you basicly write a webpage that local caches the payload and keys, then abuses EXIF to build and execute an exploit on the target.

this is a variation on a common theme in steganography, but still interesting and giving something a name can be a useful contribution in itself

My static site generator strips out exif data from images and I would expect all sensible sites would do the same. There is a lot of personal information jammed in there - if you post a picture of your dog making a funny face to social media you don’t want the exact GPS coordinates of your house plastered over the internet.

You have to be selective though, some of the EXIF data specifies things like color spaces and orientation that is used by browsers for displaying the image properly.