[Wikipedia-l] Image Upload Security
Brion Vibber
brion at pobox.com
Wed Jan 15 01:49:23 UTC 2003
On mar, 2003-01-14 at 17:31, Jason "Rodzilla" Rodzik wrote:
> I just uploaded a test script, not even thinking it would let me. Although
> the script didn't run for some reason(why is that? I'd like to implement it
> on my own server)
Only the /w/ and /tools/ subdirectories have the PHP filter enabled in
the Apache configuration, and you can't upload to them. So, you just get
to download the source.
> isn't this still a possible security breech? The ability
> to upload .php files should be stopped during script execution.
Arbitrary HTML file uploads are potentially much more dangerous than a
PHP file that your browser is going to load as plaintext.
> I couldn't
> figure out how to delete the file either...
> http://www.wikipedia.org/wiki/Image%3ATest.php
Seems to be already deleted.
-- brion vibber (brion @ pobox.com)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.wikimedia.org/pipermail/wikipedia-l/attachments/20030114/84852229/attachment.pgp
More information about the Wikipedia-l
mailing list