0

We recently got our servers into SVN which has been great, but this causes a lot of problems when using things like WP Filebase for CMS file management. It's also hard to keep the uploads folder synced, so we would like to turn off SVN for select directories. This leads me to the question at hand:

If we disallow a file type (php) in certain directories and someone uploads a shell script disguised as a .jpg or other file type that unpacks itself into a .php file, will that file actually unpack? Or will it unpack and just not execute? I'm not sure how folder security/permissions options work at this level.

Currently using IIS, though will likely be moving to a linux box soon.

kristina childs
  • 141
  • 8

1 Answers1

1

The server should not execute a '.jpg' file with PHP as the content-types are mapped by file extension in IIS and thus it cannot 'unpack itself'.

So by default it would just serve the raw content of the .jpg file with the mime header 'image/jpeg' and your browser will just complain that it cannot render the image.

Jan Wikholm
  • 121
  • 5
  • Shouldn't, yes. But I've seen videos online of hackers using image extensions to upload a file, then having it execute a script giving them access to the machines. I'm not going to pretend I know how it works, but I've seen it so am trying to protect against it... well... was. I'm not longer on this project so can't move forward on it anymore. – kristina childs Oct 17 '13 at 02:59