Reply to Re: Vulnerability - bypassing no_script check

Re: Vulnerability - bypassing no_script check new!
by Bob Brown, 16 years, 7 months ago
A setting that allows you to abort the upload if the mime type doesn't match the given type would be suitable, but you're right about the false positives. It would be interesting to get some stats from a high usage site using the upload class. In the meantime we'll look at catching the .html extension before we pass the uploaded files off to the upload class.

In the case where you did want to allow a .html file to be uploaded and stored with .html extension, AND where the target server was configured to process .html using PHP (or other) there's no way to prevent this security flaw. I suspect that any server should not be configured to process .html with a server-side interpreter anyway.Reply

Your reply

Name *
Email 
Title *
Text *
CAPTCHA image
Enter the code displayed on the image:
Click on the image to generate another one if it is hard to read it. The case is important