Is it possible to execute PHP with extension file.php.jpg?
I accidentally left a fileupload to my site, and it got hacked (STUPID ME). The hacker had uploaded a file index.php.jpg with the uploader, and simply accessed my site (it was a shell99 script) with it, but I can’t understand why it will work. Someone smart enough to explain this?
Apache controls what file extensions can and cannot execute PHP. This can be controlled on a server-level, or a per-site level (such as with
By default, a
.jpg extension should not allow PHP execution. Perhaps the filename was really
index.jpg.php and you have misread. However, in the event that the filename is really
index.php.jpg, you’ll need to look into all possible locations and lock-down your configuration to only allow
.php extensions to execute PHP.
Filename was either forged, with \x000 inserted which fooled httpd, or
.htaccess was planted as well to enforce PHP for jpg files.