Subject: Are you serious?

it's an "stupid developer" exploit...
What are you expecting from PHP developers? "Fatal Error: upload of php files is not available for security reasons"

Last release: Microsoft PHP 5.2.1 ¬¬

I would not use such harsh adjectives on PHP developers, but the lack of education on security aspects makes some developers open holes on their sites inadvertently.

The point of this article is to open the eyes of developers that have not thought about these security aspects before.

BTW, the problem is not allowing or not allowing PHP files to be uploaded.

The problem is that many PHP developers use the getimagesize function to validate uploaded image sizes. A valid GIF file can embed PHP code and would not be detected as invalid by the getimagesize function.

As mentioned in the article, this would not be a problem if the developers would not make the image files available for access directly with the original file names. If the file name is .php or .php3 or anything that Apache processes as a PHP request, sites may be abused.

Even when the file name extension is validated, some developers use the include or require functions to serve the images. In that case, the sites may also be abused.

As you may see, the developers do not need to be so stupid to make such security mistakes.

erm Im not claiming to be a great coder or such, But I did have an issue like this of people attempting to upload double extention filenames, I run a simply script to parse the file name and check last extention for validation This may seem simple or such but it works...

That may not be sufficient depending on how you serve the files to the users.

As mentioned in the article, if you use include or require to serve the uploaded images, you are open to security exploits. It may sound silly but some developers do that.

The problem is that valid GIF files may still contain by sequences inside of them like this <?php readfile('/etc/passwd'); ?> . Once PHP encounters these bytes in the GIF file that is included, that code is run.

Using getimagesize() to validate the image file would not prevent the problem because the file is a valid GIF image.

There are reports of sites being abused with exploits like this. So, depending on cautious you are, you may or not be subject to this exploit.

study!