> Did anyone try this?
> http://wafful.org/2007/08/04/php-code-in-gif-image-file/
>
> I am wondering if miles uploader script or any other uploader plugin
> is aware of that risk yet.
> Or how dangerous this actually is for "normal" cake apps.
>
> Anyone happen to have such a "bad" image at hand?
> Drop me a line and I will report back with details.
>
> I think <?php phpinfo();?> would be a good script to include
I never did look into that further to see if there's something that
can easily be done to catch those. But I've never been too concerned,
either. Notice that the code embedded in the image is triggered
because the file is included inside a PHP script. The only other way
that I know of to use this exploit is to upload an image named
something.gif.php. I always check both the extension and file type. If
there's something I'm missing, though, I'd like to hear more.
Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions.
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
No comments:
Post a Comment