Home » Php » Why filename.php.jpg will work as a PHP file?

Why filename.php.jpg will work as a PHP file?

Posted by: admin July 12, 2020 Leave a comment

Questions:

Possible Duplicate:
Is it possible to execute PHP with extension file.php.jpg?

I accidentally left a fileupload to my site, and it got hacked (STUPID ME). The hacker had uploaded a file index.php.jpg with the uploader, and simply accessed my site (it was a shell99 script) with it, but I can’t understand why it will work. Someone smart enough to explain this?

How to&Answers:

Apache controls what file extensions can and cannot execute PHP. This can be controlled on a server-level, or a per-site level (such as with .htaccess).

By default, a .jpg extension should not allow PHP execution. Perhaps the filename was really index.jpg.php and you have misread. However, in the event that the filename is really index.php.jpg, you’ll need to look into all possible locations and lock-down your configuration to only allow .php extensions to execute PHP.

Answer:

Filename was either forged, with \x000 inserted which fooled httpd, or .htaccess was planted as well to enforce PHP for jpg files.