file-upload – Page 22 – WindowsTechs.com

PHP | Security for allowing user uploads

Posted on February 20, 2015 by Jimmy

My Situation:

I am creating a web application with PHP which allows users to scan their files for viruses. It allows the user to upload their files via the html “file” input type or via a URL. I have successfully built the h… Continue reading PHP | Security for allowing user uploads→

Is it possible to exploit a file upload with whitelist and filename hashing?

Posted on November 18, 2014 by zarathustra

I have a small web application. Because it is necessary to upload some files I check the file extensions with a whitelist (tgz, jpg, png, pdf, zip, rar, txt, gif, py, c, rb). In addition to that, I hash the filenames with md5 so e.g. when… Continue reading Is it possible to exploit a file upload with whitelist and filename hashing?→

Is there a way to check the filetype of a file uploaded using PHP?

Posted on May 13, 2014 by Grim Reaper

I don’t want it to just check the extension of the file as these can easily be forged even MIME types can be forged using tools like TamperData.

So is there a better way to check file types in PHP ?

Continue reading Is there a way to check the filetype of a file uploaded using PHP?→

What does it mean to have a "file name with NULL bytes in serialized instances"?

Posted on November 23, 2013 by Muhammad Gelbana

I was browsing this page, which redirected me to this vulnerability because I’m a Java developer and I’m aware of the affected library.

Basically the vulnerability says:

It was discovered that Apache Commons FileUpload incorrectly han… Continue reading What does it mean to have a "file name with NULL bytes in serialized instances"?→

IMG tag vulnerability

Posted on May 24, 2013 by Paul Podlipensky

Is it safe to display images from arbitrary domains? I.e. let’s say I have an image on my page:

What if image.gif will return some js attack vector, but not the image? Is the… Continue reading IMG tag vulnerability→

IMG tag vulnerability

Posted on May 24, 2013 by Paul Podlipensky

Is it safe to display images from arbitrary domains? I.e. let’s say I have an image on my page:

What if image.gif will return some js attack vector, but not the image? Is the… Continue reading IMG tag vulnerability→

How can I spoof the Mimetype of a file upload?

Posted on May 15, 2013 by h00j

There are posts that says php mimetype isn’t secure, or can be bypassed. How do people spoof the mimetype?

Continue reading How can I spoof the Mimetype of a file upload?→

is it safe to allow external images to be attached to Blog or any Web content?

Posted on March 4, 2013 by Akam

I am filtering all images that attached to any content of my blog:

Check for file extension.
Check content type using $finfo = finfo_open(FILEINFO_MIME_TYPE);
I also save the image temporary on my server and check the size … Continue reading is it safe to allow external images to be attached to Blog or any Web content?→

Methods for uploading shell to a website

Posted on February 22, 2013 by Wise

I know shells can be uploaded via sql injection, remote file inclusion and exploiting the web app’s own upload mechanism. Are there any other ways to upload a shell to a website and be able to execute commands?

Continue reading Methods for uploading shell to a website→

Use PHP to check uploaded image file for malware?

Posted on January 8, 2013 by Frank E

I want my users to be able to upload a photo. Currently I am not checking the uploaded photo for problems of any kind, although I do limit the size to 32k.
Is there any way for me to check uploaded image files for malware? For instance, is… Continue reading Use PHP to check uploaded image file for malware?→