On Wed, May 17, 2006 11:40 am, Richard Collyer wrote:
> Richard Lynch wrote:
>> On Mon, May 15, 2006 1:58 am, Jason Wong wrote:
>>> 2) the uploaded file is a "script" (perl/php/python/etc)
>>
>>> In the case of (2), if the script relies on its shebang line to
>>> execute
>>
>> Not necessarily -- Wh
On Wed, May 17, 2006 11:29 am, Jason Wong wrote:
> On Tuesday 16 May 2006 07:45, Richard Lynch wrote:
>> On Mon, May 15, 2006 1:58 am, Jason Wong wrote:
>> > 2) the uploaded file is a "script" (perl/php/python/etc)
>> >
>> > In the case of (2), if the script relies on its shebang line to
>> > execu
Richard Lynch wrote:
On Mon, May 15, 2006 1:58 am, Jason Wong wrote:
2) the uploaded file is a "script" (perl/php/python/etc)
In the case of (2), if the script relies on its shebang line to
execute
Not necessarily -- What if I upload an "image" file named
"badscript.php" and then I surf to
On Tuesday 16 May 2006 07:45, Richard Lynch wrote:
> On Mon, May 15, 2006 1:58 am, Jason Wong wrote:
> > 2) the uploaded file is a "script" (perl/php/python/etc)
> >
> > In the case of (2), if the script relies on its shebang line to
> > execute
>
> Not necessarily -- What if I upload an "image" fi
> On Mon, May 15, 2006 1:58 am, Jason Wong wrote:
> > 2) the uploaded file is a "script" (perl/php/python/etc)
>
> > In the case of (2), if the script relies on its shebang line to
> > execute
>
> Not necessarily -- What if I upload an "image" file named
> "badscript.php" and then I surf to it, aft
On 5/16/06, Richard Lynch <[EMAIL PROTECTED]> wrote:
On Mon, May 15, 2006 1:58 am, Jason Wong wrote:
> 2) the uploaded file is a "script" (perl/php/python/etc)
> In the case of (2), if the script relies on its shebang line to
> execute
Not necessarily -- What if I upload an "image" file named
On Mon, May 15, 2006 1:58 am, Jason Wong wrote:
> 2) the uploaded file is a "script" (perl/php/python/etc)
> In the case of (2), if the script relies on its shebang line to
> execute
Not necessarily -- What if I upload an "image" file named
"badscript.php" and then I surf to it, after it's in you
To summarise: the uploading of an executable masquerading as an image file
can be protected against via coding at the application level
> My thought is that it wouldnt be too hard to have some kind of script
> masquerade as a gif file, and perhaps cause damage.
More worrying and much harder
Jason Wong wrote:
On Monday 15 May 2006 10:53, Richard Lynch wrote:
On Sat, May 13, 2006 5:11 pm, Nick Wilson wrote:
are there any security concerns with uploaded images?
YES!!!
Just what are the security concerns exactly? Assuming we're only focusing
on attacks to the webserver[1] then
On Monday 15 May 2006 10:53, Richard Lynch wrote:
> On Sat, May 13, 2006 5:11 pm, Nick Wilson wrote:
> > are there any security concerns with uploaded images?
>
> YES!!!
Just what are the security concerns exactly? Assuming we're only focusing
on attacks to the webserver[1] then I can only think
On Sat, May 13, 2006 5:11 pm, Nick Wilson wrote:
> are there any security concerns with uploaded images?
YES!!!
> My thought is that it wouldnt be too hard to have some kind of script
> masquerade as a gif file, and perhaps cause damage.
>
> I cant find anyway to check a file really is a gif/png/
* and then chris smith declared
> Check the file extension and the mimetype, make sure they are both
> valid.. or as someone else suggested, use getimagesize on it - if that
> returns false or empty then it's not an image.
Ok thanks guys. I'll do extension and mime and getimagesize() before
s
On 5/14/06, Nick Wilson <[EMAIL PROTECTED]> wrote:
Hi all,
are there any security concerns with uploaded images?
My thought is that it wouldnt be too hard to have some kind of script
masquerade as a gif file, and perhaps cause damage.
I cant find anyway to check a file really is a gif/png/jpg
getimagesize() -
I wouldn't worry about people trying to upload scripts - assuming you limit
file-extensions to .gif, .bmp, .jpg, etc. .jpgs generally don't get executed
- unless you have a screwed up webserver install.
The best they will be able to do is have others download the script / code.
14 matches
Mail list logo
