I was workign on a project a while back where I was createing an image using PHP, well I posted it here on this board with an image tag and low and behold the extension .php was accepted in an image tag. Then I got to thinking what if I was to create and image hosted on my server that woud capture an ip address and save it to a database? Then anyone that looked at my picture would be unknowingly allowing me direct access to their computer. (of course further exploits would have to be utilized sniff sniff) anyway then I got to thinking how would I target my tool more precisely? Well then it rang a bell, if I sent this image to one person only in a PM then I could potentially grab ip adresses from targeted people.
Is their anyway of turning off .php extensions in the image tags?
Is their anyway of turning off .php extensions in the image tags?
Comment