35
Quote:
jaquita wrote:
Is it possible for somebody to upload something that *purports* to be a image but is in fact an executable script of some kind.
Yes it is. You can upload any type of file as an avatar, as long as it isn't too large and has an allowed extension. These invalid images being referenced in an IMG tag's SRC attribute however don't pose a threat. I don't see a way to get these "bogus" images in the /upload directory included in any .php file as source.
Quote:
jaquita wrote:
Looking through the logs once again, the very last GET before the POST from user.php was for "uploads/blank.gif". At that last GET the user had a SESSIONID and one IP, when the POST happened the user had the same SESSIONID with a different IP.
Not entirely sure, but I think blank.gif is used as placeholder when a person doesn't have an avatar. Only indicates to me that the valid session-holder was probably viewing the forums right before someone else hijacked his session. No easy way to determine what was wrong unless you can replicate all the database info of the posts this user was viewing at the time this incident occured.
Though noted that the last viewed page doesn't neccesarily have to be that one with the exploit on it. It could have been any page before that during the same session.
