Possible Security Flaw
It seems that the users on my forum have discovered an annoying hack. If, for your account picture, you put people.php?PostBackAction=SignOutNow, then users will be logged out when they view your threads. I had to disable all account profile icons for my site.
0
This discussion has been closed.
Comments
Can't you set it so only png,gif,jpg, etc work.
However, I don't think it can be exploited on your users without a severe CSRF vulnerability. Be careful when visiting, as admin, your user's account setting pages.
What about requesting the resource on the server side to check the mime type?