How to disable .php.jpg pasing


#1

Hello,

I see that filenames finished by .php.jpg (like “myfalsepic.php.jpg”) is parsed by the parser. And it can bring security problems in upload forms.

Exemple: a picture upload form allow .gif, .jpg,… extensions.
The form checking can okay if the filename finish by “.jpg”. Then a hacker can execute Php lines code on your server, and steal some password.

I would like to know how to disallow parsing this type of file, particulary how to parse ONLY “.php” file.

Thanks !


#2

Dude, according to your username you’re a Fab Hacker. Everything other than that I guess…

I don’t actually know the answer.


#3

See Files with multiple extensions

Solution:
Rename file so it has only one extension: something.php.jpg becomes something_php.jpg

:cool: [color=#6600CC]Atropos[/color] | openvein.org


#4

Thanks for bringing this to my attention. I just assumed the last extention was the only active extention.
Silk

My website


#5

I think the concern was that if someone uploaded what looked like a JPG because of the last extension, that the webserver may parse it as a PHP script first. Since it’s a user uploading the file, the original poster isn’t in a position to rename the file, unless he/she adds some extra code to strip out or block such embedded extensions.

-Scott


#6

Thats true, its best to not use the users filenames in the first place.
Silk

My website


#7

My nickname doesn’t matter, in fact I’ve chosen it when I was 14, and I’m now near to 20 :wink:

For the main problem, I didn’t find the right answer. But a good solution is to double-check uploaded files, per exemple using GetImageSize() on the uploaded file to check if it’s an image, or not.

Even if the main problem (".php.jpg" files parsed) is not fixed, it could work very well.


#8

Did you bother to read the thread or are you a bot inserting your web address into forums?
Silk

My website