Zubrag.com
December 11, 2018, 07:02:38 PM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
 
   Home   Help Search Login Register  
Pages: [1]
  Print  
Author Topic: Thumbnail Generator - security  (Read 6238 times)
zubrag
Administrator
Hero Member
*****
Posts: 788


WWW
« on: June 11, 2007, 09:11:12 AM »

Apollwnas added comment for Thumbnail Creator / Generator.

Hello. This is a great script. But what about security?

1. If someone types http://wwwt.myserver.com/thumb.php?src=http://www.test.com/test.jpg&x=50&y=50&f=0  will the script run, causing load to the server?

Yes, it will run and cause load. But user can cause server load by accessing any file on your server multiple times. Feel free to tune script according to your needs. You could change it to request filename only, and add http://www.test.com/ internally so passing urls would not cause server load because hacker wouldn't know what is prepended to the file name. I can implement "max X requests per N seconds from one IP feature" if that is of any help. But this would require mysql database access and will not really help if hacker uses proxies.

2. Can someone execute 'evil' script on my server by passing php code in the src variable?
http://www.myserver.com/thumb.php?src=[evil code].
Thanks in advance for your reply

Script checks if src is an image. So no evil code can be executed on your server.

Logged
Pages: [1]
  Print  
 
Jump to:  

Powered by SMF 1.1.11 | SMF © 2006-2009, Simple Machines LLC