Vulnerability - bypassing no_script check

class.upload.php

class.upload.php is a powerful and mature PHP class to manage uploaded files, and manipulate images in many ways. The script is available under a GPL license.

more info about the class

Vulnerability - bypassing no_script check

See all posts See thread Reply

Re: Vulnerability - bypassing no_script check new!

# Reply

by Bob Brown, 16 years, 1 month ago

A setting that allows you to abort the upload if the mime type doesn't match the given type would be suitable, but you're right about the false positives. It would be interesting to get some stats from a high usage site using the upload class. In the meantime we'll look at catching the .html extension before we pass the uploaded files off to the upload class.

In the case where you did want to allow a .html file to be uploaded and stored with .html extension, AND where the target server was configured to process .html using PHP (or other) there's no way to prevent this security flaw. I suspect that any server should not be configured to process .html with a server-side interpreter anyway.Reply

verot.net

quality web development

Overview

Download it!

Docs and support

Help out!

class.upload.php

Vulnerability - bypassing no_script check