uploads was forced set 777 in Setup,and fileupload did not filter fake suffix files.eg. exe.php.jpg

bigfish

uploads was forced set 777 in Setup,and fileupload did not filter fake suffix files.eg. exe.php to exe.jpg
I rename a test.php to test.jpg and the file successed uploaded

I think there might be some security leak...

This official forums has the same problem as well

x00

I don't get your point. You have to get an executable to execute. If you rename the file unless you there is something running

$ php yourfile

which is highly unlikely, nothign will happen. Most servers are not configured to run jpg and php.

Decent operating systems don't even run anything without executable bit set, which is basically most servers OS.

The only reason for for having this provision, is so people don't accidentally download an run something. You could always zip pretty much any format.

Your file permissions are in your hands (except for cheap webhosts boo). if you don't want script to set permissions don't let it.