Update README.md

Author: carlospolop

src/pentesting-web/file-upload/README.md

@@ -88,11 +88,6 @@ Then hit the saved path (typical in Laravel + LFM):
 GET /storage/files/0xdf.php?cmd=id
 ```
 
-Mitigations:
-- Upgrade unisharp/laravel-filemanager to ≥ 2.9.1.
-- Enforce strict server-side allowlists and re-validate the persisted filename.
-- Serve uploads from non-executable locations.
-
 ### Bypass Content-Type, Magic Number, Compression & Resizing
 
 - Bypass **Content-Type** checks by setting the **value** of the **Content-Type** **header** to: _image/png_ , _text/plain , application/octet-stream_
@@ -432,11 +427,6 @@ Notes
 - The payload file must still pass server‑side magic/MIME sniffing. Embedding the PHP in a PDF stream keeps the header valid.
 - Works where the enum/validation path and the extraction/write path disagree on string handling.
 
-Mitigations
-- Reject any archive with NULs in entry names; normalize and canonicalize names prior to validation.
-- Use a single, consistent library for enumeration and extraction; never mix parsers.
-- Store uploads on non-executable storage; never serve directly from the extraction path.
-
 ### Stacked/concatenated ZIPs (parser disagreement)
 
 Concatenating two valid ZIP files produces a blob where different parsers focus on different EOCD records. Many tools locate the last End Of Central Directory (EOCD), while some libraries (e.g., ZipArchive in specific workflows) may parse the first archive they find. If validation enumerates the first archive and extraction uses another tool that honors the last EOCD, a benign archive can pass checks while a malicious one gets extracted.
@@ -460,11 +450,6 @@ Abuse pattern
 - Concatenate them: `cat benign.zip evil.zip > combined.zip`.
 - If the server validates with one parser (sees benign.zip) but extracts with another (processes evil.zip), the blocked file lands in the extraction path.
 
-Mitigations
-- Reject archives with trailing bytes or multiple EOCDs; verify exactly one well‑formed archive.
-- Use the same parser for validation and extraction.
-- Disallow server‑side extraction to web‑served, executable folders; prefer offline processing with strict allowlists.
-
 ## ImageTragic
 
 Upload this content with an image extension to exploit the vulnerability **(ImageMagick , 7.0.1-1)** (form the [exploit](https://www.exploit-db.com/exploits/39767))
@@ -522,4 +507,4 @@ How to avoid file type detections by uploading a valid JSON file even if not all
 - [Microsoft – mklink (command reference)](https://learn.microsoft.com/windows-server/administration/windows-commands/mklink)
 - [0xdf – HTB: Certificate (ZIP NUL-name and stacked ZIP parser confusion → PHP RCE)](https://0xdf.gitlab.io/2025/10/04/htb-certificate.html)
 
-{{#include ../../banners/hacktricks-training.md}}
+{{#include ../../banners/hacktricks-training.md}}