> For the past week I've been trying to get to the bottom of an exploit, but
> googling hasn't been much help so far, nor has my service provider.
> Basically a file was uploaded with the filename xxx.php.pgif which
> nasty php code, and then the file was run directly from a browser. The
> upload script used to upload this file checks that the upload filename
> doesn't have a .php extension, which in this case it doesn't, so let it
> through. I was under the impression apache would serve any file with an
> extension not listed in its handlers directly back to the browser, but
> instead it sent it to the php handler. Is this normal behaviour or is
> a problem with my service provider's apache configuration? Trying this on 
> my localhost returns the file contents directly to the browser as expected

> and doesn't run the php code.


the php file hidden as a gif will indeed not execute if opened directly from

your website. But if opened from a page hosted elsewhere with some code like

require($path_to_your_image), the php code inside the image will be sent to 
the php handler and will be executed.

Prevention is the best way to avoid hacking from image upload. Check the 
file extention and the file content before upload.


Hi Steven, I agree the best way to avoid this is for the file upload script
to check the file contents and that's something I'll have to sort out,
currently it just checks the extension. But it's still a concern that a file
with any arbitrary extension can be processed as php script as long as it
has the text ".php" in the filename. I'm not worried about including the
file because that would require pre-existing malicious php code, I want to
prevent that malicious php code from running in the first place.


PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to