Mastermind Posted December 12, 2002 Share Posted December 12, 2002 I recently found that the image upload function in the Administration Tool can be exploided to execute external PHP scripts. You only have to upload the PHP script and execute it. If this is used bij inserting a new product, you can run this script even while your still in "preview mode", leaving almost no trace. As you can upload any script you want, you can browse the server and grep some passwords etc. Since you need to have access to the Administration Tool, people can use the other functions of the Administration Tool to do something nasty. But if you have set up a demo shop in which you have disabled some features, this can be a serious problem. You can prevent execution of uploaded PHP script by putting this in a .htaccess file in your image directory <FilesMatch ".(php|phtml|php3)$"> order deny,allow deny from all </FilesMatch> This gives a Forbidden on all .php, .phtml en .php3 files in the image directory Link to comment Share on other sites More sharing options...
Christian Lescuyer Posted December 13, 2002 Share Posted December 13, 2002 Interesting. Thanks for the feedback. Christian Lescuyer Link to comment Share on other sites More sharing options...
henri Posted January 21, 2003 Share Posted January 21, 2003 Other possbility would be checking if its a image: with GetImageSize() If accessing the filename image is impossible, or if it isn't a valid picture, getimagesize() will return FALSE and generate a warning. Link to comment Share on other sites More sharing options...
tbannist Posted January 21, 2003 Share Posted January 21, 2003 You could also refuse any file which isn't on a short list of file types (gif, jpegs, and png). As I understand it, in PHP 4.0.0 and up the uploaded file array has a 'type' field that can be checked. Link to comment Share on other sites More sharing options...
Adyx Posted January 22, 2003 Share Posted January 22, 2003 RE: You can prevent execution of uploaded PHP script is it possible to use htaccess to actually block anyone trying to upload a php script via the uploads/images, before they got chance to even execute it ? Link to comment Share on other sites More sharing options...
Christian Lescuyer Posted January 22, 2003 Share Posted January 22, 2003 I don't think so. The images directory needs a read access for the HTTP server, so you could execute a .php file in there. Christian Lescuyer Link to comment Share on other sites More sharing options...
Ramesh Posted January 22, 2003 Share Posted January 22, 2003 I believe it would be better to set what file types are allowed ( .jpeg .jpg .png .mng .gif ) rather than trying to block each and every php file type ....what happens years from now when we have .php9 !:-) there are only a handful of image types , but many executable file types. oh , .mng are animated .pngs (not that I've ever used a program with imports/exports/saves this format !) Special Effects / 3d + Flash Link to comment Share on other sites More sharing options...
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.