Hi! You are viewing the archive of unrelenting.technology. This website is no longer updated, my current one is val.packett.cool. Check it out instead :)

In reply to How I hacked my own site by feeding it a profile picture via webmention by https://seblog.nl on

Yeah, this is the one of the big problems with PHP, and Apache mod_php specifically. You can implement various mitigations (drop an .htaccess into the uploads directory that turns off any script execution?) but the fact that you have to is kinda ridiculous. Pretty much all other web development environments are not based around just running scripts from the same directories where static files are. Heck, Apache’s CGI implementation was better, it only ran code from the /cgi-bin/ subdirectory!


Categories and tags


Posted using