Invision Community 4: SEO, prepare for v5 and dormant account notifications By Matt Monday at 02:04 PM
SJ77 Posted January 25, 2020 Posted January 25, 2020 This appears to be an exploit that allows a user to upload zip files to a post despite zip files not allowed. I found one on my site. Making the extension as myfile.zip.jpg If you change the extension back to .zip and extract it contains 2 webp files and an mp4 file. Also file types I don’t allow. I've tried to recreate this but usually I get the message 'There was a problem uploading the file' when uploading a zip disguised as a jpg, which is how it should work. However using his original zip I managed to add an exe file and upload it without problems... It could be to do with webm files, I managed to create a 94mb zip file full of webm files and upload it by changing the extension..
bfarber Posted January 27, 2020 Posted January 27, 2020 When you are restricting based on file type alone, then yes it's fairly easy to simply rename a file to something else. We don't actually inspect the file headers to try to validate the file type (that isn't realistic without knowing the intimate structure of every single type of file out there). Has this actually caused any problems or harm?
Recommended Posts
Archived
This topic is now archived and is closed to further replies.