Posted by shimmyshack on 06/22/07 15:43

On Jun 22, 4:41 pm, gosha bine <stereof...@gmail.com> wrote:
> On 22.06.2007 16:28 shimmyshack wrote:
>
>
>
> > On Jun 22, 1:41 pm, gosha bine <stereof...@gmail.com> wrote:
> >> On 22.06.2007 12:57 Schraalhans Keukenmeester wrote:
>
> >>> It's been mentioned here a couple of times in different threads regarding
> >>> image uploading. It's not new, but I found a clear explanation of what it
> >>> is and how to deal with it. Hope it helps some of you.
> >>>http://www.phpclasses.org/blog/post/67-PHP-security-exploit-with-GIF-...
> >>> Best!
> >>> Sh.
> >> How this exploit is related specifically to GIF files? You can insert
> >> php code in any file and every upload script that doesn't check file
> >> extensions is vulnerable.
>
> >> --
> >> gosha bine
>
> >> extended php parser ~http://code.google.com/p/pihipi
> >> blok ~http://www.tagarga.com/blok
>
> > it isnt just a simple question of examining file extensions, see url
> > below for an example, there are of course others including execution
> > of php within jpeg comments, or just XSS within images. Some machines
> > are ok, some are not, depends on your setup, even serving image via
> > download file might not stop it on some setups.
> >http://milw0rm.com/video/watch.php?id=58-
>
> Ok, but this has nothing to do with php. It's just a bug in (some
> obsolete version of) internet explorer.
>
> --
> gosha bine
>
> extended php parser ~http://code.google.com/p/pihipi
> blok ~http://www.tagarga.com/blok

the other examples do have to do with php. I just didnt provide any
links for them.

[Back to original message]