|  | Posted by gosha bine on 06/22/07 15:41 
On 22.06.2007 16:28 shimmyshack wrote:> On Jun 22, 1:41 pm, gosha bine <stereof...@gmail.com> wrote:
 >> On 22.06.2007 12:57 Schraalhans Keukenmeester wrote:
 >>
 >>> It's been mentioned here a couple of times in different threads regarding
 >>> image uploading. It's not new, but I found a clear explanation of what it
 >>> is and how to deal with it. Hope it helps some of you.
 >>> http://www.phpclasses.org/blog/post/67-PHP-security-exploit-with-GIF-...
 >>> Best!
 >>> Sh.
 >> How this exploit is related specifically to GIF files? You can insert
 >> php code in any file and every upload script that doesn't check file
 >> extensions is vulnerable.
 >>
 >> --
 >> gosha bine
 >>
 >> extended php parser ~http://code.google.com/p/pihipi
 >> blok ~http://www.tagarga.com/blok
 >
 > it isnt just a simple question of examining file extensions, see url
 > below for an example, there are of course others including execution
 > of php within jpeg comments, or just XSS within images. Some machines
 > are ok, some are not, depends on your setup, even serving image via
 > download file might not stop it on some setups.
 > http://milw0rm.com/video/watch.php?id=58-
 >
 
 Ok, but this has nothing to do with php. It's just a bug in (some
 obsolete version of) internet explorer.
 
 --
 gosha bine
 
 extended php parser ~ http://code.google.com/p/pihipi
 blok ~ http://www.tagarga.com/blok
  Navigation: [Reply to this message] |