Hi,<br><br>after reading \"rhican's\" and \"logo's\" posts in the <a href="%5C"><img alt="\"link\"" src="%5C">www.pcp-system.at - Gästebuch - v3 FINAL</a> thread I was looking for vulnerable applications.<br>I really had never heard about the issue that Apache treats files with unknown extension by there first extension known one(in case there are more).<br><br>The \"Mihalism's Image Uploader\" script isn't really a vulnerable application.<br>It only allows you to upload \".gif\", \".pjpeg\", \".jpeg\", \".bmp\", \".swf\" and \".png\" files.<br><br>----------------------------------------------------------------------------------<br>if(($HTTP_POST_FILES['userfile']['type']==\"image/gif\") || <br>($HTTP_POST_FILES['userfile']['type']==\"image/pjpeg\") || <br>($HTTP_POST_FILES['userfile']['type']==\"image/jpeg\") || <br>($HTTP_POST_FILES['userfile']['type']==\"image/bmp\") || <br>($HTTP_POST_FILES['userfile']['type']==\"image/swf\") || <br>($HTTP_POST_FILES['userfile']['type']==\"image/png\")) {<br>----------------------------------------------------------------------------------<br><br>The problem that might arise is that a webserver doesn't has a mime type associated with the quite uncommon mime type \"image/pjpeg\".<br>Therefore a php script with a name like \"whatever.php.pjpeg\" might be executable as a normal php script even so it shouldn't be.<br><br>You can download the script at <a href="%5C"><img alt="\"link\"" src="%5C">http://www.hotscripts.com/Detailed/59585.html</a>. <br><br>tbs
image/pjpeg is pretty common -- it's the .pjpeg extension that's rare (since image/pjpeg and image/jpeg differ only on whether they're progressive or not).<br><br>Also, isn't the script vulnerable to MIME spoofing? What happens if I upload a .php file but specify a MIME type of image/png?
@beerhunter: Can you give a proof of concept <img alt="\":idea:\"" src="%5C"><br>It seems like it should be possible but I can't figure it out.<br><br>tbs
Nice work beerhunter! Respect! I have to add that topic to the tutorial or maybe you should write your own. <br><br>tbs<br><br>PS: RFC1521 deals with structure of message headers