Last night a friend of mine informed me that his site had been hacked. It wasn't SQL injection or a guess-able password but was traced back to a page where documents are uploaded. The upload methods were not checking file extensions and allowed a .cfm to be uploaded to a web accessible area which in turn allowed for easy access to really mess up the site. I have one small family site where I allow uploads of images. I quickly headed over there to check my code to make sure I hadn't left the same hole open. I have a flex widget that only allows .jpg extensions and my save methods also checked the extension before it saved aswell as a try catch around the image resize incase the rename a executable to .jpg so I think I'm safe ( I used this as my starting point. )
Anyway just a warning as this could be easily overlooked.
This is a great tip and I think one that is often overlooked!
ReplyDelete