I have found a hole in one of my servers that someone else pointed. Here is what I found. A fake image can get uploaded to the server like test.php.psd and the server will think it is an image file but in fact it is a PHP file. Then when the server access the file Apache does not recognize the file and automatically assumes that it is a PHP file and tries to execute it as a PHP file. If the file is not recognizable and can not open it as an image file then it should not automatically try to execute it as a PHP file. Am I wronging in assuming this? Here are two sample files.
-Mark Adams www.bitserve.com - Secure Michigan web hosting for your business.
Only host still offering a full money back uptime guarantee and prorated refunds.
Offering advanced server management and security incident response!