Posted by Rory Browne on 01/22/06 21:30

Or put it in a directory with no PHP or CGI.

On 1/22/06, jonathan <news_php@arclocal.com> wrote:
> this is a little my fault. the example my friend showed me was a
> retracing of the example he saw in Pro PHP Security (p284).
> Basically, the short of the example is that a valid gif image could
> be uploaded with the extension .php and pass a getimagesize because
> it would have the necessary bytestream to think that it is a gif but
> that arbitrary php code could be appended at the end. To get around
> this, you just need to check for a valid file extension (.gif etc...)
> and mimetype.
>
> -jonathan
>
>
> On Jan 22, 2006, at 2:58 AM, Rory Browne wrote:
>
> > I'd be a bit skeptical about the possibly of embedding PHP code inside
> > a GIF file. Could you outline how he performed the task?
> >
> > On 1/22/06, jonathan <news_php@arclocal.com> wrote:
> >> what is the best way to prevent malicious code from being uploaded
> >> via a .gif file? A friend showed me how php could be embedded within
> >> the .gif file. Does this problem also exist for .jpeg's?
> >>
> >> thanks,
> >>
> >> jon
> >>
> >> --
> >> PHP General Mailing List (http://www.php.net/)
> >> To unsubscribe, visit: http://www.php.net/unsub.php
> >>
> >>
> >
> > --
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
> >
> >
>
>

[Back to original message]