On IE 5.5 and 6.x you can inject JS through PNG's As I remember, they patched it at 7.x On 20/04/2008, Richard Heyes <richardh@xxxxxxxxxxx> wrote: > > I mean, if you already specified it as a PNG image with header(), how > > do you execute Javascript/malicious code, as the browser will render > > it as a PNG? > > > > Malicious code can still be embedded in images. The vulnerabilities ISTR > are in Windows image handling libraries. I assume they've been fixed now > though because it was some time ago. But that doesn't mean to say more won't > be found. > > -- > Richard Heyes > > +----------------------------------------+ > | Access SSH with a Windows mapped drive | > | http://www.phpguru.org/sftpdrive | > +----------------------------------------+ > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > >
