Collaborate Disseminate
Can anyone help me in checking if this code is exploitable for uploading a PHP script (backdoor etc) by bypassing the image checking technique used in this PHP script?
online link: http://210.212.119.163/alumni/admin/ajaxim… Continue reading Image upload vulnerability in PHP script
With NGINX and PHP I am allowing 5GB files to be ‘uploaded’ to my server although they will not be downloaded unless they are ‘legitimate’ (that is for another question ;)). I was wondering is this is making it easier for DDO… Continue reading What are the potential vulnerabilities of allowing a large http body size?
I’m studying a file injection in a web app running on an Apache 2 server with PHP backend and Linux OS. I would like to understand how the file uploaded permission is set up.
The file uploading is done mainly in two lines: … Continue reading PHP file_upload default permissions?
Let’s say that a partner wants to upload a PHP script to my Apache server. What kind of mayhem could be caused by this?
Which PHP parameters pose threats? If those PHP parameters are fully disabled, would allowing PHP to be … Continue reading What security risks are there in allowing someone to upload PHP scripts?
Is XXE possible in a file upload with .docx files?
Continue reading Can an XXE attack be carried out from within an docx file?
Given:
A file (assume 1 GB in size) is encrypted along with filenames using 7zip into a 7z archive using AES-256
The file is uploaded to a cloud storage service such as those offered by Google, Amazon, or Microsoft
The file… Continue reading Susceptibility of 7z encrypted archive files to man in the middle attacks
In my application, I have file and image upload as like given in the image and also I restricted the special characters in the filename. Is any other possibilities for XSS using image file name.
I am working on a file upload feature in our app. Users can also download uploaded files from the app. To prevent malicious file upload, I am checking magic bytes of the file to find the file type uploaded and verify its part… Continue reading Unrestricted File upload
For example, if a client submits a file to a server, and the server opens the file in read-mode with Python:
with open(uploaded_file, “r”) as f:
# Do something
Could the act of opening a file be abused with a cleverly-crafted file f… Continue reading Does opening an arbitrary file in a language (such as Python) pose a security risk?
After I bypass this error message:
the server encountered an internal error or misconfiguration and was unable to complete your request
I find that I have another mistake when I upload the SSI web shell and run my command
… Continue reading how to bypass Internal Server Error [on hold]