[Wikipedia-l] Image Upload Security

Brion Vibber brion at pobox.com
Wed Jan 15 01:49:23 UTC 2003


On mar, 2003-01-14 at 17:31, Jason "Rodzilla" Rodzik wrote:
> I just uploaded a test script, not even thinking it would let me.  Although
> the script didn't run for some reason(why is that?  I'd like to implement it
> on my own server)

Only the /w/ and /tools/ subdirectories have the PHP filter enabled in
the Apache configuration, and you can't upload to them. So, you just get
to download the source.

>  isn't this still a possible security breech?  The ability
> to upload .php files should be stopped during script execution.

Arbitrary HTML file uploads are potentially much more dangerous than a
PHP file that your browser is going to load as plaintext.

>   I couldn't
> figure out how to delete the file either...
> http://www.wikipedia.org/wiki/Image%3ATest.php

Seems to be already deleted.

-- brion vibber (brion @ pobox.com)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.wikimedia.org/pipermail/wikipedia-l/attachments/20030114/84852229/attachment.pgp 


More information about the Wikipedia-l mailing list