On Wed, May 17, 2006 11:29 am, Jason Wong wrote:
On Tuesday 16 May 2006 07:45, Richard Lynch wrote:
On Mon, May 15, 2006 1:58 am, Jason Wong wrote:
2) the uploaded file is a script (perl/php/python/etc)
In the case of (2), if the script relies on its shebang line to
execute
Not
On Wed, May 17, 2006 11:40 am, Richard Collyer wrote:
Richard Lynch wrote:
On Mon, May 15, 2006 1:58 am, Jason Wong wrote:
2) the uploaded file is a script (perl/php/python/etc)
In the case of (2), if the script relies on its shebang line to
execute
Not necessarily -- What if I upload an
On 5/16/06, Richard Lynch [EMAIL PROTECTED] wrote:
On Mon, May 15, 2006 1:58 am, Jason Wong wrote:
2) the uploaded file is a script (perl/php/python/etc)
In the case of (2), if the script relies on its shebang line to
execute
Not necessarily -- What if I upload an image file named
On Mon, May 15, 2006 1:58 am, Jason Wong wrote:
2) the uploaded file is a script (perl/php/python/etc)
In the case of (2), if the script relies on its shebang line to
execute
Not necessarily -- What if I upload an image file named
badscript.php and then I surf to it, after it's in your
On Tuesday 16 May 2006 07:45, Richard Lynch wrote:
On Mon, May 15, 2006 1:58 am, Jason Wong wrote:
2) the uploaded file is a script (perl/php/python/etc)
In the case of (2), if the script relies on its shebang line to
execute
Not necessarily -- What if I upload an image file named
Richard Lynch wrote:
On Mon, May 15, 2006 1:58 am, Jason Wong wrote:
2) the uploaded file is a script (perl/php/python/etc)
In the case of (2), if the script relies on its shebang line to
execute
Not necessarily -- What if I upload an image file named
badscript.php and then I surf to it,
On Monday 15 May 2006 10:53, Richard Lynch wrote:
On Sat, May 13, 2006 5:11 pm, Nick Wilson wrote:
are there any security concerns with uploaded images?
YES!!!
Just what are the security concerns exactly? Assuming we're only focusing
on attacks to the webserver[1] then I can only think of 2
Jason Wong wrote:
On Monday 15 May 2006 10:53, Richard Lynch wrote:
On Sat, May 13, 2006 5:11 pm, Nick Wilson wrote:
are there any security concerns with uploaded images?
YES!!!
Just what are the security concerns exactly? Assuming we're only focusing
on attacks to the webserver[1]
To summarise: the uploading of an executable masquerading as an image file
can be protected against via coding at the application level
My thought is that it wouldnt be too hard to have some kind of script
masquerade as a gif file, and perhaps cause damage.
More worrying and much harder
On Mon, May 15, 2006 1:58 am, Jason Wong wrote:
2) the uploaded file is a script (perl/php/python/etc)
In the case of (2), if the script relies on its shebang line to
execute
Not necessarily -- What if I upload an image file named
badscript.php and then I surf to it, after it's in your
* and then chris smith declared
Check the file extension and the mimetype, make sure they are both
valid.. or as someone else suggested, use getimagesize on it - if that
returns false or empty then it's not an image.
Ok thanks guys. I'll do extension and mime and getimagesize() before
On Sat, May 13, 2006 5:11 pm, Nick Wilson wrote:
are there any security concerns with uploaded images?
YES!!!
My thought is that it wouldnt be too hard to have some kind of script
masquerade as a gif file, and perhaps cause damage.
I cant find anyway to check a file really is a gif/png/jpg
Hi all,
are there any security concerns with uploaded images?
My thought is that it wouldnt be too hard to have some kind of script
masquerade as a gif file, and perhaps cause damage.
I cant find anyway to check a file really is a gif/png/jpg (i assume the
mimetype available in $_FILES could
getimagesize() -
I wouldn't worry about people trying to upload scripts - assuming you limit
file-extensions to .gif, .bmp, .jpg, etc. .jpgs generally don't get executed
- unless you have a screwed up webserver install.
The best they will be able to do is have others download the script / code.
On 5/14/06, Nick Wilson [EMAIL PROTECTED] wrote:
Hi all,
are there any security concerns with uploaded images?
My thought is that it wouldnt be too hard to have some kind of script
masquerade as a gif file, and perhaps cause damage.
I cant find anyway to check a file really is a gif/png/jpg
15 matches
Mail list logo