[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Possible release note for systems running PHP through CGI.

On Aug 20, Wouter Verhelst <w@uter.be> wrote:

> > But some sites accept file uploads with arbitrary names, perhaps
> > expected to be a JPEG image, but actually named bar.php.jpeg and
> > containing malicious server-side PHP which they could execute from the
> > browser.
> Don't Do That Then(TM).
I see that you are not in the web hosting business. <g>
Millions of web sites do this, so now matter how a bad practice this is 
(and I agree that it is) we need to do everything possible to work 
around insecure web sites.
Also, we are talking about PHP: if educating developers were possible, 
they would not use PHP in the first place.

> The right solution to this problem is instead to write your upload
> scripts so that they
True. But you do not dictate solutions to the 16 year old "webmaster" 
who happens to be the cousin of your customer.


Attachment: signature.asc
Description: Digital signature

Reply to: