In the very least your site could be flagged for malware.
If these files are distributed on your website, you might be held responsible if someone gets malware from your site. There are at least two notable considerations you should take into account: to bypass a naïve file upload filter that forbids uploading PHP scripts but allows ZIP files, without checking if the uploaded file might be both at the same time. a JAR file) as something harmless (like a GIF image, as in the GIFAR exploit), but there's no reason it couldn't be used in the other direction too, e.g. Some programs may refuse to open such modified ZIP files (but if so, they're technically violating the ZIP format spec), or they may identify the file as something other than a ZIP file by default, but generally, if you feed such a file into code that expects a ZIP file, it will probably be accepted as one.Ī more common malicious use of such tricks is to disguise exploit code in a ZIP-based container (e.g. This trick is legitimately used to create self-extracting ZIP files, but it's perfectly possible to prepend any other hidden data or executable code into a ZIP file in the same way. using _halt_compiler()) that PHP won't try to parse the appended ZIP archive data. It's not even particularly hard just concatenate the PHP code and the ZIP file, and make sure (e.g. A ZIP archive remains valid even if you prepend arbitrary data to it, so it's quite possible to create a file that is simultaneously a valid ZIP archive containing innocent data and also a malicious PHP script. While you're probably right in this case, your assumption might not always hold. Since I'm able to uncompress the files on my mac I assume these are real zip files and not just something like renamed php files.
0 kommentar(er)
