I’m a web developer, and if you are too you’ll know all too well the worry of malicious scripts being uploaded to your website. And yes, you’ve put all the checks in.. Checking the extension is an image, checking the mime type. Authenticating the user against the upload.
But what about those third party plugins, or when your client has FTP access to “tinker with/break” the work you’ve done? The point I’m making is, even if you’re 99% sure you’ve got it covered – why take the risk?
We’ve been developing PHPScanner because exactly that happened to us, a client had FTP access and allowed some dodgy uploads because they did not properly check the file types.
PHPScanner reads the content of each upload before your website gets access to it, if it considers the upload a PUP (Potentially Unwanted Program) it quarantines the upload and provides useful information.
More information: https://github.com/ChubbyNinja/PHPScanner
More information to follow.