Re: [PHP] Apache's PHP handlers

2013-09-19 Thread Design in Motion Webdesign 
- Original Message - 
From: Arno Kuhl a...@dotcontent.net

To: php-general@lists.php.net
Sent: Thursday, September 19, 2013 1:35 PM
Subject: [PHP] Apache's PHP handlers



For the past week I've been trying to get to the bottom of an exploit, but
googling hasn't been much help so far, nor has my service provider.
Basically a file was uploaded with the filename xxx.php.pgif which 
contained

nasty php code, and then the file was run directly from a browser. The
upload script used to upload this file checks that the upload filename
doesn't have a .php extension, which in this case it doesn't, so let it
through. I was under the impression apache would serve any file with an
extension not listed in its handlers directly back to the browser, but
instead it sent it to the php handler. Is this normal behaviour or is 
there
a problem with my service provider's apache configuration? Trying this on 
my
localhost returns the file contents directly to the browser as expected 
and

doesn't run the php code.



Cheers

Arno



Arno,

the php file hidden as a gif will indeed not execute if opened directly from 
your website. But if opened from a page hosted elsewhere with some code like 
require($path_to_your_image), the php code inside the image will be sent to 
the php handler and will be executed.


Prevention is the best way to avoid hacking from image upload. Check the 
file extention and the file content before upload.


Cheers.
Steven 



--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Apache's PHP handlers

2013-09-19 Thread Design in Motion Webdesign 

Hi Arno,

it has nothing to do with .php in the file name. What the hacker did, was 
uploading a .gif file with some malicious php code included to your 
webserver. Then he called the .gif file from his own website by using a php 
script containing some code like 
require_once('http://www.yoursite.com/images/yourimage.gif'). At that moment 
the php code inside the .gif file has been executed.


Steven

- Original Message - 
From: Arno Kuhl a...@dotcontent.net
To: 'Design in Motion Webdesign' i...@designinmotion.be; 
php-general@lists.php.net

Sent: Thursday, September 19, 2013 2:43 PM
Subject: RE: [PHP] Apache's PHP handlers


For the past week I've been trying to get to the bottom of an exploit, 
but

googling hasn't been much help so far, nor has my service provider.
Basically a file was uploaded with the filename xxx.php.pgif which

contained

nasty php code, and then the file was run directly from a browser. The
upload script used to upload this file checks that the upload filename
doesn't have a .php extension, which in this case it doesn't, so let it
through. I was under the impression apache would serve any file with an
extension not listed in its handlers directly back to the browser, but
instead it sent it to the php handler. Is this normal behaviour or is

there

a problem with my service provider's apache configuration? Trying this on
my localhost returns the file contents directly to the browser as 
expected



and doesn't run the php code.

--

Arno,

the php file hidden as a gif will indeed not execute if opened directly 
from


your website. But if opened from a page hosted elsewhere with some code 
like


require($path_to_your_image), the php code inside the image will be sent 
to

the php handler and will be executed.

Prevention is the best way to avoid hacking from image upload. Check the
file extention and the file content before upload.

Cheers.
Steven
--

Hi Steven, I agree the best way to avoid this is for the file upload 
script

to check the file contents and that's something I'll have to sort out,
currently it just checks the extension. But it's still a concern that a 
file

with any arbitrary extension can be processed as php script as long as it
has the text .php in the filename. I'm not worried about including the
file because that would require pre-existing malicious php code, I want to
prevent that malicious php code from running in the first place.

Cheers
Arno


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] phpinfo()

2013-02-20 Thread Design in Motion Webdesign 





John Taylor-Johnston john.taylor-johns...@cegepsherbrooke.qc.ca wrote:


I cannot find button2 in phpinfo() when I click it. I was hoping to
find
a $_POST[button2] value.
What am I doing wrong?

input type=button name=button2 id=button2 value=Print Mode
onclick=formSubmit()

I really wanted to use a button to pass a different condition than a
input type=submit


Use a different value or name on the input type=submit/ button. Don't 
use JavaScript to trigger the form like that. Its not necessary and will 
bite you in the ass if ypu get a visitor who browses without JavaScript, 
which can include security aware users, blind users, etc

Thanks,
Ash
http://www.ashleysheridan.co.uk

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Try $_POST['button2']

Best regards.
Steven


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php