[eluser]boltsabre[/eluser]
Thanks Luckyfella73 for replying.
I really thought that this post would have had the regulars jumping all over it, user uploads are such a MASSIVE security problem, but perhaps they are just as clueless as most other people?
Either way, it's a bit sad, I was hoping we could get a list of "best practices" to help the CI community to both code quicker (due to the already existing image and upload classes) and SAFER by helping to educate people and what they should consider...
Quote:I found a code example that seems to prevent access to defined file extentions:
Code:
<FilesMatch ".(htaccess|htpasswd|php|js|exe|bat)$"> // list all extentions to block
Order Allow,Deny
Deny from all
</FilesMatch>
Wouldn't having a white list be much better? How many script extensions are there out there now, and possibly in the future?
If anyone has any input it would be great, hell, I don't even mind if at the end of all this someone collates the data and puts it on their blog. Then in the future when some newbie asks we can just send them there, and send you extra traffic!
Does ANYONE have any experience with how to combat the "double extension" (ie, filename.php.jpg) or "embedded image meta data" (when you embed a script in an image meta data, it will execute on your server when that file is called) hacks???
