What is the security hole in the image loading script in this case?

N

nelolka2015-08-11 20:33:07

PHP

nelolka, 2015-08-11 20:33:07

There is a script for uploading an avatar to the site. Here is the line that does the main work:

move_uploaded_file($_FILES['avatar']['tmp_name'], $uploaddir."$username.jpg"

where $usernameis the username. For the user user , the file user.jpg .
The system is pretty stupid and full of holes. After reading an article on Habré, I tried to upload a php script by registering under different logins, but it didn’t work out.
How to do it anyway? How to upload php to the server under the guise of an avatar?
The maximum login length is 8 characters. There are no additional checks.

Reply

Answer the question

In order to leave comments, you need to log in

4 answer(s)

Y

Yuri, 2015-08-11
@riky

username
/../../../images/site-logo
invented path - vulnerability - replace any jpg file on the server if slashes are not prohibited in the username

A

Alexander Aksentiev, 2015-08-11
@Sanasol

For example login: user.php?

P

Pavel K, 2015-08-12
@PavelK

Add php code to the picture at the very end, then just open this picture directly and profit.
This is the "classic" way.

D

Dmitry Kuznetsov, 2015-08-12
@dima9595

I advise you to check the MIME type in addition to all responses.