Hi Dan On Wednesday, February 25, 2015, Dan Ackroyd <dan...@basereality.com> wrote:
> On 25 February 2015 at 00:09, Pádraic Brady <padraic.br...@gmail.com > <javascript:;>> wrote: > > > > Your example omitted the image validation step which would have > > noticed your attempt to upload a phar immediately. Add that and try > > again. > > Image validation is no defense against this type of attack: > > > http://php.webtutor.pl/en/2011/05/13/php-code-injection-a-simple-virus-written-in-php-and-carried-in-a-jpeg-image/ > > As soon as you have any possibility of including a file uploaded by an > attacker, you are probably going to lose. > > That was indeed my point as Yasuo has already explained earlier. Image validation would however see a phar a mile off. Paddy -- -- Pádraic Brady http://blog.astrumfutura.com http://www.survivethedeepend.com Zend Framework Community Review Team Zend Framework PHP-FIG Representative
