Never trust user supplied data
I hope EBay are checking more than just the HTTP headers sent with the upload request. The only way to be sure you've got an image is to check the file contents.
Hacker Aditya Sood has disclosed two vulnerabilities in eBay that allow hackers to upload files for drive-by-download attacks. The security bod (@AdityaKSood) told ThreatPost the flaws allow attackers to upload malicious content that appear to be benign. Once uploaded to eBay, malware can be sent to victims using direct links …
Which OS are you referring to?
I don't have Linux or OSX to hand, but in Windows, when I rename an EXE file as .JPG and double click it, it tries to open it in my paint package (which fails with an invalid format)
I then proceeded to put the filepath in Firefox and IE, and both tried to render as an image (and failed), okay, so it's not on a webserver, but surely that would be riskier because there's no metadata saying "This is an image by the way"
So TBH, I'm not really sure how this is supposed to work
You're playing with files on the filesystem. When files come in over a HTTP connection, different rules apply. There is (usually) a HTTP header telling the client what the content type is supposed to be. But this is just a hint, and the client can inspect the file contents to decide what to do itself.
"You're playing with files on the filesystem. When files come in over a HTTP connection, different rules apply." You mean like no security?
Any program or OS that takes a file and runs it like an exe because of its contents but isn't file typed as exe is asking for trouble.
Who thought that a good idea?