RE: RE:(4) File Upload Security Question

Thank you.
That is *just* what I needed to get going.

Gratefully,
Rad

Comment on RE: RE:(4) File Upload Security Question

Replies are listed 'Best First'.
Re^3: (4) File Upload Security Question by Mr.Clean (Initiate) on Mar 10, 2008 at 21:28 UTC
Not always. There is a class of vulnerabilities known as Arbitrary File Upload. What an attacker will do is, put in the source code for a PHP shell(a web application used to manipulate a server) into a text document and then name it "name.php.jpg". what this is doing is disguising the shell as a JPEG image. This file will be uploaded unless your web application sanitizes the inputted file. So make sure that your web application does sanitize the file by making sure that the data that the file holds is of correct extension.	[reply]

Replies are listed 'Best First'.

Re^3: (4) File Upload Security Question
by Mr.Clean (Initiate) on Mar 10, 2008 at 21:28 UTC

Not always. There is a class of vulnerabilities known as Arbitrary File Upload. What an attacker will do is, put in the source code for a PHP shell(a web application used to manipulate a server) into a text document and then name it "name.php.jpg". what this is doing is disguising the shell as a JPEG image. This file will be uploaded unless your web application sanitizes the inputted file. So make sure that your web application does sanitize the file by making sure that the data that the file holds is of correct extension.

[reply]