Hi all, I've been having a growing problem recently with users uploading images (through an image upload function) that are actually php shell scripts spoofing the headers and mime types. I run the usual checks on extension, mime type, etc, and the images are uploaded to an unusual spot with random names so they cannot be executed, but I am quickly growing annoyed with the situation. The code (while hundreds of lines long) looks a bit like this when opened with notepad: image/jpeg::::: <?php /* ***************************************************************************************** * Safe0ver Shell //Safe Mod Bypass * ***************************************************************************************** ***************************************************************************************** */ PHP: Would a good solution be to scan the binary data for the <? and or <?php string (case insensitive, of course), and if present, prevent the file from continuing off into server land?
lol yeah, I'd scan the whole binary data for any miscellaneous strings - even the ones that's already on the server.
Rainulf: Thanks for the feedback. I've gone ahead and implemented a solution similar to what you advised. Also, I did scan all the images on the server, and (thankfully) none of them came up positive. Interestingly, so far all the scripts that have been submitted have not been actual images. That is to say, when one views them, they do not render an actual image. Given this, I hope the script will still be able to catch it if it's hidden at the end of a real image. AsHinE: Good idea -- Although, the images are put into BLOB data in mysql, they're not hard files.