On 5/16/06, Richard Lynch <ceo@xxxxxxxxx> wrote:
On Mon, May 15, 2006 1:58 am, Jason Wong wrote: > 2) the uploaded file is a "script" (perl/php/python/etc) > In the case of (2), if the script relies on its shebang line to > execute Not necessarily -- What if I upload an "image" file named "badscript.php" and then I surf to it, after it's in your /images directory?
When using the php apache module, from a OS permissions, the Server reads as opposed to executes php code. .php files don't generally need to be executable IIRC. Game Over
If you want Shifflet's view, just go to http://phpsec.org -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
