2

I have a question about hacking file uploads. Below shows the kind of setup I'm using and my concern is around the action that gives the full path to the upload script:

<form action="http://www.mydomain.com/scripts/php/photo_processing.php?page=join method="post" enctype="multipart/form-data">
  <input type="file" name="file" class="fileProfile"><br>
</form>

Can someone use the full path to send repetitive files constantly and then fill a web server disk space etc? eg: can you send files using this path outside the website and/or in a way that allows automated constant uploads?

Note: the php file has the following at the top - it is set to only this domain name - needed because of AWS Cloudfront POST limitation

header("Access-Control-Allow-Origin: http://www.mydomain.com");
Adam
  • 19,932
  • 36
  • 124
  • 207

1 Answers1

2

No, they are basically prevented by cross domain policy. Unless the mydomain.com gives you access to it.

Starx
  • 77,474
  • 47
  • 185
  • 261
  • I've updated the question as I do have this in the header: header("Access-Control-Allow-Origin: http://www.mydomain.com"); - but its only set to the domain in question. Does this create the needed restriction? – Adam Apr 21 '13 at 03:19
  • Last question - (and thankyou for your time) - can people fake the domain they are sending the request from and get around this restriction? – Adam Apr 21 '13 at 03:24
  • They can fake the referer I think. – Starx Apr 21 '13 at 03:53