Jump to content
  • Checkout
  • Login
  • Get in touch


The e-commerce.

Possible security problem


Recommended Posts

I recently found that the image upload function in the Administration Tool can be exploided to execute external PHP scripts. You only have to upload the PHP script and execute it. If this is used bij inserting a new product, you can run this script even while your still in "preview mode", leaving almost no trace.


As you can upload any script you want, you can browse the server and grep some passwords etc.


Since you need to have access to the Administration Tool, people can use the other functions of the Administration Tool to do something nasty.

But if you have set up a demo shop in which you have disabled some features, this can be a serious problem.


You can prevent execution of uploaded PHP script by putting this in a .htaccess file in your image directory

<FilesMatch ".(php|phtml|php3)$">

  order deny,allow

  deny from all



This gives a Forbidden on all .php, .phtml en .php3 files in the image directory

Link to comment
Share on other sites

  • 1 month later...

Other possbility would be checking if its a image:

with GetImageSize()

If accessing the filename image is impossible, or if it isn't a valid picture, getimagesize() will return FALSE and generate a warning.
Link to comment
Share on other sites

RE: You can prevent execution of uploaded PHP script


is it possible to use htaccess to actually block anyone trying to upload a php script via the uploads/images, before they got chance to even execute it ?

Link to comment
Share on other sites

I believe it would be better to set what file types are allowed ( .jpeg .jpg .png .mng .gif )

rather than trying to block each and every php file type ....what happens years from now when we have .php9 !:-)


there are only a handful of image types , but many executable file types.


oh , .mng are animated .pngs (not that I've ever used a program with imports/exports/saves this format !)

Special Effects / 3d + Flash

Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Create New...