March 22, 2019, 03:05:51 PM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
   Home   Help Search Login Register  
Pages: [1]
Author Topic: Thumbnail Generator - security  (Read 6447 times)
Hero Member
Posts: 788

« on: June 11, 2007, 09:11:12 AM »

Apollwnas added comment for Thumbnail Creator / Generator.

Hello. This is a great script. But what about security?

1. If someone types http://wwwt.myserver.com/thumb.php?src=http://www.test.com/test.jpg&x=50&y=50&f=0  will the script run, causing load to the server?

Yes, it will run and cause load. But user can cause server load by accessing any file on your server multiple times. Feel free to tune script according to your needs. You could change it to request filename only, and add http://www.test.com/ internally so passing urls would not cause server load because hacker wouldn't know what is prepended to the file name. I can implement "max X requests per N seconds from one IP feature" if that is of any help. But this would require mysql database access and will not really help if hacker uses proxies.

2. Can someone execute 'evil' script on my server by passing php code in the src variable?
http://www.myserver.com/thumb.php?src=[evil code].
Thanks in advance for your reply

Script checks if src is an image. So no evil code can be executed on your server.

Pages: [1]
Jump to:  

Powered by SMF 1.1.11 | SMF © 2006-2009, Simple Machines LLC