BuzzTouch's Image Uploader Script is exploitable. Just an hour ago it was exploited on my HostGator shared hosting. The hacker deleted all my files. THANKFULLY, I contacted HostGator support ASAP. In less than an hour they had my website restored and the Image Uploader script 0-0-0'd (meaning no one could access it). Just thought I'd make a warning. DO NOT use the Image Uploader script. It can easily be exploited, and a hacker can upload a malicious shell to your web server. It happened to me. It can just as easily happen to you. BTW, this is the script I'm talking about: http://www.buzztouch.com/docs/v1.5/sample-image-upload.txt If anybody could make a non-exploitable version that would be great. Just thought I'd warn you guys and save you a long, painful headache.

Try using the image emailer plugin using flickr. Works excellent

It's disingenuous to title a forum post with: "BuzzTouch's Image Uploader Script is exploitable" I changed the forum post title to a more appropriate title to avoid unnecessary worry by lots of site visitors. A more appropriate title could have been: "My shared hosting web server was exploited through an unprotected PHP script." Any unprotected PHP script is exploitable. I repeat - ANY unprotected php script. The image uploader script you're referring to is a very very basic / sample script that's meant to help you understand how such a file works. This is precisely the reason the message included in the sample script reads "CAUTION, THERE ARE NO SECURITY MEASURES TAKEN IN THIS SCRIPT." If you're running your own web server it's important to implement lots of security and anti-exploit measures. Using a sample image-uploader script on an unprotected backend for sure is not a good idea.

*edit* David said it.

@Jenny21 In the future serious developers will be adding more protection to these kind of scripts and hopefully releasing their modifications to the public. Use @mysps's suggestions, flikr is a great alternative for what your looking to do - and they have security measures in place. If you have any EXACT info that your host may have given you on how the exploit was executed, it would be a great idea to post that information here for future reference for other developers and users. Take care, David buzztouchmods.com

No point publishing an exploit on a public forum (that relates directly to a script many users on the forum will be using) just asking for trouble. Suffice to say, as mentioned above, the script is not safe as-is and is clearly marked as such. Make sense? It does to me.

Sorry David for the confusion. I write this thread at like 3AM. I wasn't thinking straight, really. This is my fault. If I figure out how to properly secure it, I will write a tutorial here showing how so others don't have to go through the same mess I went through. Anyways, thanks BuzzTouch guys!

@MacApple so dumb of me, I had not thought of that. Thanks for pointing that one out. Best of luck Jenny! David buzztouchmods.com