In reply to How I hacked my own site by feeding it a profile picture via webmention by https://seblog.nl on

Yeah, this is the one of the big problems with PHP, and Apache mod_php specifically. You can implement various mitigations (drop an .htaccess into the uploads directory that turns off any script execution?) but the fact that you have to is kinda ridiculous. Pretty much all other web development environments are not based around just running scripts from the same directories where static files are. Heck, Apache’s CGI implementation was better, it only ran code from the /cgi-bin/ subdirectory!


Categories and tags




Post your response

If you write a response on your website, mark it up with h-entry and let me know the URL: