Would be interesting if the attacker presumed you would do this, and made it so the converted image contains the malicious code.
On Dec 3, 1:48 am, "Ma'moon" <[email protected]> wrote: > You can easily remove the threat by using an image conversion, i use > `convert` to convert my images to a standard image type, the conversion > process changes the physical content of the uploaded file and destroys all > the threat that it might contain while maintaining the valid images if they > were valid from the first place!, its very important to `convert` the images > specially the ones uploaded from your side! > > On Fri, Dec 3, 2010 at 6:15 AM, cricket <[email protected]> wrote: > > On Thu, Dec 2, 2010 at 8:25 PM, euromark <[email protected]> > > wrote: > > > Did anyone try this? > > >http://wafful.org/2007/08/04/php-code-in-gif-image-file/ > > > > I am wondering if miles uploader script or any other uploader plugin > > > is aware of that risk yet. > > > Or how dangerous this actually is for "normal" cake apps. > > > > Anyone happen to have such a "bad" image at hand? > > > Drop me a line and I will report back with details. > > > > I think <?php phpinfo();?> would be a good script to include > > > I never did look into that further to see if there's something that > > can easily be done to catch those. But I've never been too concerned, > > either. Notice that the code embedded in the image is triggered > > because the file is included inside a PHP script. The only other way > > that I know of to use this exploit is to upload an image named > > something.gif.php. I always check both the extension and file type. If > > there's something I'm missing, though, I'd like to hear more. > > > Check out the new CakePHP Questions sitehttp://cakeqs.organd help others > > with their CakePHP related questions. > > > You received this message because you are subscribed to the Google Groups > > "CakePHP" group. > > To post to this group, send email to [email protected] > > To unsubscribe from this group, send email to > > [email protected]<cake-php%[email protected]>For > > more options, visit this group at > >http://groups.google.com/group/cake-php?hl=en > > Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
