Thanks for the link. I got worried for a second that my code could be exploited so I did a quick check to make sure that mime-types were correct. (I check the mime type to make sure it's an image, not the file extension.) I renamed a .jpg file .jpg.php and uploaded it and got application/x-php as a mime type.
Is there a way to fake the mime type of what you've uploaded so that this exploit is still possible? Should I be checking both mime types and file extensions? Thanks On 6/20/07, Daniel Brown <[EMAIL PROTECTED]> wrote:
On 6/20/07, Jochem Maas <[EMAIL PROTECTED]> wrote: > Daniel Brown wrote: > > On 6/20/07, Tijnema <[EMAIL PROTECTED]> wrote: > >> Hi all, > >> > >> Just received a mail from phpclasses, which pointed to this very > >> interesting article[1]. Seems good to know for starters ;) > >> The experts around here probably already know this way of exploits. > >> > >> Tijnema > >> > >> [1] > >> http://www.phpclasses.org/blog/post/67-PHP-security-exploit-with-GIF-images.html > >> > >> > >> -- > >> PHP General Mailing List (http://www.php.net/) > >> To unsubscribe, visit: http://www.php.net/unsub.php > >> > >> > > > > I've been doing stuff like that for legitimate reasons for about > > two years.... I thought everyone knew about it. > > exactly what are those legitimate reasons for uploading and executing > php on other peoples server with authorization? :-> > > my defense lawyer might be interested ;-) > > > > > No, not the upload and execution, per se, but rather using images to contain processable PHP code. -- Daniel P. Brown [office] (570-) 587-7080 Ext. 272 [mobile] (570-) 766-8107 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
