How to disable .php.jpg pasing

How to disable .php.jpg pasing

Posted by: FabHacker
Posted on: 2006-12-16 13:13:00

Hello,

I see that filenames finished by .php.jpg (like "myfalsepic.php.jpg") is parsed by the parser. And it can bring security problems in upload forms.

Exemple: a picture upload form allow .gif, .jpg,... extensions.
The form checking can okay if the filename finish by ".jpg". Then a hacker can execute Php lines code on your server, and steal some password.

I would like to know how to disallow parsing this type of file, particulary how to parse ONLY ".php" file.

Thanks !

Re: How to disable .php.jpg pasing

Posted by: pangea33
Posted on: 2006-12-16 13:27:00

Dude, according to your username you're a Fab Hacker. Everything other than that I guess...

I don't actually know the answer.

Re: How to disable .php.jpg pasing

Posted by: Atropos7
Posted on: 2006-12-16 15:57:00

In reply to:

I would like to know how to disallow parsing this type of file, particulary how to parse ONLY ".php" file.

See Files with multiple extensions

Solution:
Rename file so it has only one extension: something.php.jpg becomes something_php.jpg


cool Atropos | openvein.org

Re: How to disable .php.jpg pasing

Posted by: silkrooster
Posted on: 2006-12-16 16:14:00

Thanks for bringing this to my attention. I just assumed the last extention was the only active extention.
Silk

My website

Re: How to disable .php.jpg pasing

Posted by: sdayman
Posted on: 2006-12-16 18:47:00

I think the concern was that if someone uploaded what looked like a JPG because of the last extension, that the webserver may parse it as a PHP script first. Since it's a user uploading the file, the original poster isn't in a position to rename the file, *unless* he/she adds some extra code to strip out or block such embedded extensions.

-Scott

Re: How to disable .php.jpg pasing

Posted by: silkrooster
Posted on: 2006-12-16 19:20:00

Thats true, its best to not use the users filenames in the first place.
Silk

My website

Re: How to disable .php.jpg pasing

Posted by: FabHacker
Posted on: 2006-12-19 12:08:00

My nickname doesn't matter, in fact I've chosen it when I was 14, and I'm now near to 20 ;-)

For the main problem, I didn't find the right answer. But a good solution is to double-check uploaded files, per exemple using GetImageSize() on the uploaded file to check if it's an image, or not.

Even if the main problem (".php.jpg" files parsed) is not fixed, it could work very well.

Re: How to disable .php.jpg pasing

Posted by: business1
Posted on: 2006-12-19 12:27:00

do you have a good way to do that?

http://www.thebusinesssuccessgroup.com/Real-Estate-Investment-training.html

Re: How to disable .php.jpg pasing

Posted by: business1
Posted on: 2006-12-19 12:32:00

why woude you want to disable php?


http://www.thebusinesssuccessgroup.com/Real-Estate-Investment-training.html

Re: How to disable .php.jpg pasing

Posted by: silkrooster
Posted on: 2006-12-19 18:57:00

Did you bother to read the thread or are you a bot inserting your web address into forums?
Silk

My website

Tags: php filegif jpgparsingparserparsefilenamehacker