Re: Security Concerns with Uploaded Images:

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 5/16/06, Richard Lynch <ceo@xxxxxxxxx> wrote:

On Mon, May 15, 2006 1:58 am, Jason Wong wrote:
> 2) the uploaded file is a "script" (perl/php/python/etc)

> In the case of (2), if the script relies on its shebang line to
> execute

Not necessarily -- What if I upload an "image" file named
"badscript.php" and then I surf to it, after it's in your /images
directory?


When using the php apache module, from a OS permissions, the Server reads as
opposed to executes php code. .php files don't generally need to be
executable IIRC.

Game Over


If you want Shifflet's view, just go to http://phpsec.org

--
Like Music?
http://l-i-e.com/artists.htm

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux