On 25 February 2015 at 00:09, Pádraic Brady <padraic.br...@gmail.com> wrote: > > Your example omitted the image validation step which would have > noticed your attempt to upload a phar immediately. Add that and try > again.
Image validation is no defense against this type of attack: http://php.webtutor.pl/en/2011/05/13/php-code-injection-a-simple-virus-written-in-php-and-carried-in-a-jpeg-image/ As soon as you have any possibility of including a file uploaded by an attacker, you are probably going to lose. cheers Dan -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
