[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Paper: Secure file upload in PHP web applications

To: webappsec@xxxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] Paper: Secure file upload in PHP web applications
From: Alla Bezroutchko <alla@xxxxxxxxx>
Date: Thu, 14 Jun 2007 15:35:54 +0200

Various web applications, such as blogs, forums and photo galleries
allow users to upload files. Providing file upload function without
opening security holes proved to be quite a challenge in PHP web
applications. The applications we have tested suffered from a variety of
security problems, ranging from arbitrary file disclosure to remote
arbitrary code execution.

The paper describes various security holes occurring in file upload
implementations and suggests a way to implement a secure file upload.

The paper can be downloaded from
http://www.scanit.be/uploads/php-file-upload.pdf

Regards,
Alla Bezroutchko
Scanit
http://www.scanit.be/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] Paper: Secure file upload in PHP web applications
  - From: Nikolay Kichukov

Prev by Date: [Full-disclosure] Todays Lesson - XSS
Next by Date: Re: [Full-disclosure] Tcpdfilter
Previous by thread: [Full-disclosure] Todays Lesson - XSS
Next by thread: Re: [Full-disclosure] Paper: Secure file upload in PHP web applications
Index(es):
- Date
- Thread