reported a critical vuln in the smile challenge.
It was possible to upload images containing php code, and name the file foo.php.gif
, and the php code got executed.
I could not find out how to stop apache interpreting the files with php, so i fixed
it by disallowing ".php" in the filenames.
Big thanks to kepten for reporting this critical flaw.
If anyone knows how to stop apache running the php interpreter for foo.php.gif files, i would appreciate sharing the knowledge
EDIT: The problem was caused by a custom .htaccess and is fixed in svn
now. First i tried to fix by Options -MultiViews, but this didn't work. Thanks to epoch
for locating the problem!
EDIT2: It seems that image.php.foo is also nice to trick the apache