FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » FUDforum Development » Bug Reports » avatar upload
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
avatar upload [message #26868] Thu, 18 August 2005 12:06 Go to previous message
Riklaunim is currently offline  Riklaunim   Poland
Messages: 3
Registered: August 2005
Karma:
Junior Member
You check the avatar with getimagesize which can be fooled, in linux/unix:
cat image.png code.php > hack.php

just adds at the end of a graphic file PHP code. getimagesize will returm image/png type for hack.php Smile $_FILES['form_name']['type'] - application/x-php Smile I had to make a quick fix on one of Polish forums (uses 2.6.12) so at the top of index.php I've added:
IF(isset($_FILES['avatar_upload']['type']) and $_FILES['avatar_upload']['type'] != 'image/png' and $_FILES['avatar_upload']['type']  != 'image/jpeg' and $_FILES['avatar_upload']['type'] != 'image/gif')
		{
		die('NO HACKING AROUND');
		}
	require('./GLOBALS.php');

Smile (no time to search where oh where is that form PHP code... Razz)
[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: Maillist.php patch for pure html mails
Next Topic: NNTP - Conversion of special characters (UTF-8) doesn't work
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Fri Nov 29 16:31:34 GMT 2024

Total time taken to generate the page: 0.04344 seconds