----- Original Message -----
From: "Arno Kuhl" <arno@xxxxxxxxxxxxxx>
To: <php-general@xxxxxxxxxxxxx>
Sent: Thursday, September 19, 2013 1:35 PM
Subject: Apache's PHP handlers
For the past week I've been trying to get to the bottom of an exploit, but
googling hasn't been much help so far, nor has my service provider.
Basically a file was uploaded with the filename xxx.php.pgif which
contained
nasty php code, and then the file was run directly from a browser. The
upload script used to upload this file checks that the upload filename
doesn't have a .php extension, which in this case it doesn't, so let it
through. I was under the impression apache would serve any file with an
extension not listed in its handlers directly back to the browser, but
instead it sent it to the php handler. Is this normal behaviour or is
there
a problem with my service provider's apache configuration? Trying this on
my
localhost returns the file contents directly to the browser as expected
and
doesn't run the php code.
Cheers
Arno
Arno,
the php file hidden as a gif will indeed not execute if opened directly from
your website. But if opened from a page hosted elsewhere with some code like
require($path_to_your_image), the php code inside the image will be sent to
the php handler and will be executed.
Prevention is the best way to avoid hacking from image upload. Check the
file extention and the file content before upload.
Cheers.
Steven
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
