FUDforum: Bug Reports » avatar upload

Home » FUDforum Development » Bug Reports » avatar upload

Show: Today's Messages :: Polls :: Message Navigator

avatar upload [message #26868]

Thu, 18 August 2005 12:06

Riklaunim

Messages: 3
Registered: August 2005

Karma:

Junior Member

You check the avatar with getimagesize which can be fooled, in linux/unix:

cat image.png code.php > hack.php

just adds at the end of a graphic file PHP code. getimagesize will returm image/png type for hack.php Smile

$_FILES['form_name']['type'] - application/x-php Smile

I had to make a quick fix on one of Polish forums (uses 2.6.12) so at the top of index.php I've added:

IF(isset($_FILES['avatar_upload']['type']) and $_FILES['avatar_upload']['type'] != 'image/png' and $_FILES['avatar_upload']['type']  != 'image/jpeg' and $_FILES['avatar_upload']['type'] != 'image/gif')
		{
		die('NO HACKING AROUND');
		}
	require('./GLOBALS.php');

(no time to search where oh where is that form PHP code... Razz

)

Report message to a moderator

[Message index]

		avatar upload By: Riklaunim on Thu, 18 August 2005 12:06
		Re: avatar upload By: Ilia on Thu, 18 August 2005 13:02
		Re: avatar upload By: Riklaunim on Fri, 19 August 2005 09:08
		Re: avatar upload By: Ilia on Fri, 19 August 2005 13:30
		Re: avatar upload By: Riklaunim on Sat, 20 August 2005 08:55
		Re: avatar upload By: naudefj on Wed, 20 May 2009 11:20

Previous Topic:	Maillist.php patch for pure html mails
Next Topic:	NNTP - Conversion of special characters (UTF-8) doesn't work

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

]

Current Time: Mon Jun 17 13:12:56 GMT 2024

Total time taken to generate the page: 0.04380 seconds