Hello;

If you are running a website that offers free image hosting, than this is for you !

If the image hosting script you are using is a bit poor, hackers can use this to upload their "php shell" and be able to do modifications to your site !!!

You might say this wouldn't happen to you ! ... but it happened with me ...

My website is mostly a familly web-site, so all my familly checks it, and when the hackers acted ... i got humiliated ... they put "inapropriate pages" on my site ...

I had to delete everything they put, and disable the image hosting service, but all this after i got humiliated ... so watch out guys !!

What was the hosting script that you used? Just so we know what to look out for...

that could happen but if youre upload script only allows pictures... its a slighter less chance to have that.

less likely yes, but not impossible. There is a way to get php to execute within an image as some signatures you see do, the ones which display your IP, OS etc... the only way i know of doing this is to write the php code yourself and specify an image document type but im sure there is an exploit somewhere which will allow such images to be uploaded.

As a rule i wouldnt normally allow people to upload their own images just because its risky in what they might upload, including illegal images and codes etc... It might be an idea to try to add a feature to let people specify a URL to an image already hosted and to have them uplaod these images on some other professional image host. Might defeat the point tho!

well sorry to hear about that but I hope for those who are running image hosting sites please beware..

I think there is a procedure in PHP to make sure that the input would not be parsed as PHP script.
The same thing which is used to prevent SQL injection

If I recall correctly, Image Shack used to have a vulnerability to something like this and some forms of spyware were actually trying to slip their way in, along with the image upload. Eventually, they had something scripted in that blocks anybody who has cool web search and the like from uploading anything.

I wrote a upload script in PHP a few years ago that allowed users to upload jpg/gif images. The 3 important things that must be in an upload script are:

1. Check the file's name (in my case ensure it's a .jpg or .gif and not a anything else)
2. Check the file's CONTENT-TYPE
3. Set the permissions of the file so that it isn't allowed to be "executed" (read/write only)

Also, I dynamically renamed the files so that:
1. Overwriting existing files of the same name wouldn't be a problem
2. More secure: if the above methods failed, at least the file would have an arbitrary name of randomname.jpg instead of something like index.gif.php

Finally, be careful about allowing users to upload files into a directory visible from the web.

Mind telling us which picture hosting website you used? Please let me know so that I can set a rules in my forum to prevent any damage from occuring.