[nycphp-talk] GD or ImageMagick or...?
Carlos A Hoyos
cahoyos at us.ibm.com
Mon Nov 28 15:36:07 EST 2005
talk-bounces at lists.nyphp.org wrote on 11/28/2005 11:10:17 AM:
> Hey guys,
>
> I'm writing some custom blog software and want to add some features to
> handle uploading/storing/displaying photos. On upload from the user I...
Slightly related, the following announce was published a couple of days ago
in the phpsec list:
http://rgod.altervista.org/efiction2_xpl.html
Notice how one of the security problems disclosed for this application is
due to the app checking if an uploaded file is a valid image, but then
saving it under the server's document root without changing its name.
A specially crafted image allows for valid php to be embedded and in this
case executed. The uploaded file referred in this exploit is a valid gif
file, so $_FILES['type'] will return 'image/gif'.
So don't forget some good practices: always filter user input, when
possible store files outside of the document root (serve them through a
properly secured script) and run the web server under a user with no write
access under the servers document root.
Carlos
More information about the talk
mailing list