Hi,

after reading "rhican's" and "logo's" posts in the www.pcp-system.at - Gästebuch - v3 FINAL thread I was looking for vulnerable applications.
I really had never heard about the issue that Apache treats files with unknown extension by there first extension known one(in case there are more).

The "Mihalism's Image Uploader" script isn't really a vulnerable application.
It only allows you to upload ".gif", ".pjpeg", ".jpeg", ".bmp", ".swf" and ".png" files.

----------------------------------------------------------------------------------
if(($HTTP_POST_FILES['userfile']['type']=="image/gif") ||
($HTTP_POST_FILES['userfile']['type']=="image/pjpeg") ||
($HTTP_POST_FILES['userfile']['type']=="image/jpeg") ||
($HTTP_POST_FILES['userfile']['type']=="image/bmp") ||
($HTTP_POST_FILES['userfile']['type']=="image/swf") ||
($HTTP_POST_FILES['userfile']['type']=="image/png")) {
----------------------------------------------------------------------------------

The problem that might arise is that a webserver doesn't has a mime type associated with the quite uncommon mime type "image/pjpeg".
Therefore a php script with a name like "whatever.php.pjpeg" might be executable as a normal php script even so it shouldn't be.

You can download the script at http://www.hotscripts.com/Detailed/59585.html.

tbs

wohoo and it made it in tot wiwa

will i be famous now?

image/pjpeg is pretty common -- it's the .pjpeg extension that's rare (since image/pjpeg and image/jpeg differ only on whether they're progressive or not).

Also, isn't the script vulnerable to MIME spoofing? What happens if I upload a .php file but specify a MIME type of image/png?

@beerhunter: Can you give a proof of concept
It seems like it should be possible but I can't figure it out.

tbs

OK, this seems to work. I learned a few things about HTTP file uploads there...

Nice work beerhunter! Respect! I have to add that topic to the tutorial or maybe you should write your own.

tbs

PS: RFC1521 deals with structure of message headers