Reply to Re: Vulnerability - bypassing no_script check

class.upload.php

class.upload.php is a powerful and mature PHP class to manage uploaded files, and manipulate images in many ways. The script is available under a GPL license.

more info about the class

Reply to Re: Vulnerability - bypassing no_script check

Re: Vulnerability - bypassing no_script check new!

# Reply

by Bob Brown, 16 years, 7 months ago

A setting that allows you to abort the upload if the mime type doesn't match the given type would be suitable, but you're right about the false positives. It would be interesting to get some stats from a high usage site using the upload class. In the meantime we'll look at catching the .html extension before we pass the uploaded files off to the upload class.

In the case where you did want to allow a .html file to be uploaded and stored with .html extension, AND where the target server was configured to process .html using PHP (or other) there's no way to prevent this security flaw. I suspect that any server should not be configured to process .html with a server-side interpreter anyway.Reply

Name *
Email
Title *
Text *
Enter the code displayed on the image: Click on the image to generate another one if it is hard to read it. The case is important

verot.net

quality web development

Overview

Download it!

Docs and support

Help out!

class.upload.php

Reply to Re: Vulnerability - bypassing no_script check

Your reply