[VIM] PHP File Upload Vulnerability with extra Extension

Steven M. Christey coley at linus.mitre.org
Mon May 12 21:37:43 UTC 2008

On Mon, 12 May 2008, str0ke wrote:

> I have forgotten what caused the vulnerability where you upload a file
> such as somefile.php.jpg and it can be executed as a php script.  I know
> this isn't a php vulnerability as much as an addon.  I think in the past
> it was suexec that caused this but not sure.  Anyone have a clue?

In CVE we call this "unrestricted file upload."  The application intends
to allow uploads, e.g. for avatars in a bulletin board.  The canonical
example is just allowing .php (or .asp) files without any check; in many
environments, you don't need an execute bit - the server will just invoke
the interpreter directly.  I see it mostly with .php and .asp but other
extensions are also likely.

In this particular variant, you'll usually have a case where the code
looks for ".jpg" and assumes the file extension is safe.  But Apache sees
the ".php" first, and ships it off to the PHP interpreter.  Wackiness

Presumably this double-extension variant could apply in other servers that
use some type of URL rewriting, but I don't know for sure.

I suspect some researchers just automatically try "shell.php.jpg" without
trying "shell.php" first, so you can't always be sure if it's the variant
or the canonical example.

- Steve

More information about the VIM mailing list