NYCPHP Meetup

NYPHP.org

[nycphp-talk] GD or ImageMagick or...?

Carlos A Hoyos cahoyos at us.ibm.com
Mon Nov 28 15:36:07 EST 2005


talk-bounces at lists.nyphp.org wrote on 11/28/2005 11:10:17 AM:

> Hey guys,
>
> I'm writing some custom blog software and want to add some features to
> handle uploading/storing/displaying photos.  On upload from the user I...


Slightly related, the following announce was published a couple of days ago
in the phpsec list:

http://rgod.altervista.org/efiction2_xpl.html

Notice how one of the security problems disclosed for this application is
due to the app checking if an uploaded file is a valid image, but then
saving it under the server's document root without changing its name.

A specially crafted image allows for valid php to be embedded and in this
case executed. The uploaded file referred in this exploit is a valid gif
file, so $_FILES['type'] will return 'image/gif'.

So don't forget some good practices: always filter user input, when
possible store files outside of the document root (serve them through a
properly secured script) and run the web server under a user with no write
access under the servers document root.

Carlos




More information about the talk mailing list