FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » FUDforum Development » Bug Reports » [img] - PHP injection??!!
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
Re: [img] - PHP injection??!! [message #22341 is a reply to message #22339] Fri, 28 January 2005 17:23 Go to previous messageGo to previous message
Ilia is currently offline  Ilia   Canada
Messages: 13241
Registered: January 2002
Karma:
Senior Member
Administrator
Core Developer
Checking image extensions is pointless, because there are MANY simple ways to bypass it:

1) Make server think of all .jpg,.gif requests as scripting files passed to PHP.

2) Redirect requests for .jpg to scripting language.

3) Even if during message posting the URL was validated as valid image, there is nothing to stop the user from going to their server and changing the content of the image after it has been validated.

As long as [img] tag is enabled it is ultimately up to the remote server what sort of image data is returned.


FUDforum Core Developer
[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: Unknown table 'fud26_fl_' when deleting forums
Next Topic: Customer complaint
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Tue Nov 26 04:57:17 GMT 2024

Total time taken to generate the page: 0.04115 seconds