Richard Lynch replied:
...
- Kills file upload completely
I *think* safe_mode can be on and files can be uploaded if the ISP works at
it... But they have to want it bad enough to do some configuration. Most
ISPs want to just install stuff as-is and not take the time to find out how
to
PROTECTED]
Subject: Re: [PHP] hacks we should know about
hi i found it very helpful to know about hacks such as the below list
and was wondering if anyone had any more dumb mistakes they could tell
us before we make them.
1. http://www.somesite.com/source.php3?url=/etc/passwd
2. http
So sprach »Seb Frost« am 2001-08-21 um 18:25:08 +0100 :
I don't host my own site so how can I put include files outside of the web
root? I log on ftp and my top level IS the web root (htdocs), I can't go
any higher.
In this case you can't.
Alexander Skwar
--
How to quote:
Alexander Skwar wrote:
So sprach »Seb Frost« am 2001-08-21 um 18:25:08 +0100 :
I don't host my own site so how can I put include files outside of the web
root? I log on ftp and my top level IS the web root (htdocs), I can't go
any higher.
In this case you can't.
Dumb question:
So sprach »Ashley M. Kirchner« am 2001-08-21 um 11:46:29 -0700 :
Dumb question: Can't he create a new folder under his web root (let's call
it 'incs') and setup an .htaccess file that denies requests to files within
that?
Yes, he might be able to do so - but it's also possible that the
PROTECTED]
Sent: Tuesday, August 21, 2001 12:25 PM
Subject: RE: [PHP] hacks we should know about
I don't host my own site so how can I put include files outside of the web
root? I log on ftp and my top level IS the web root (htdocs), I can't go
any higher.
- seb
-Original Message-
From
just found this article and the author recommends the following for secure
php
scripting. what do the expects think?
This article has been discussed in excruciating detail on
[EMAIL PROTECTED] and the expert's opinions are archived...
http://php.net/support.php should lead you to this
On 17 Aug 01, at 0:08, [EMAIL PROTECTED] wrote:
Not that I particularly want to turn this thread into a debate about unix
security, but...
Anyone with a clue doesn't use /etc/passwd anymore *shadow password file*,
so thats kind of depreciated...
While this is true a great deal of damage can
just found this article and the author recommends the following for secure php
scripting. what do the expects think?
- Set register_globals off
This option will stop PHP creating global variables for user input. That is,
if a user submits the form variable 'hello' PHP won't set $hello,
hi i found it very helpful to know about hacks such as the below list
and was wondering if anyone had any more dumb mistakes they could tell
us before we make them.
1. http://www.somesite.com/source.php3?url=/etc/passwd
2. http://www.somesite.com?page=../../../../etc/passwd
3. not setting .inc
hi i found it very helpful to know about hacks such as the below list
and was wondering if anyone had any more dumb mistakes they could tell
us before we make them.
1. http://www.somesite.com/source.php3?url=/etc/passwd
2. http://www.somesite.com?page=../../../../etc/passwd
3. not setting
and securityfocus.com are good places to keep up with both ends
of the stick.
-Original Message-
From: Bob [mailto:[EMAIL PROTECTED]]
Sent: August 17, 2001 11:43 AM
To: [EMAIL PROTECTED]
Subject: [PHP] hacks we should know about
hi i found it very helpful to know about hacks such as the below
rasmus, if password.inc is being parsed by php then how would you get the
code??? won't it just be a blank page??? oh i thought up one more ...
4. checking for html tags and php scripting when accepting data from text
boxes
Rasmus Lerdorf wrote:
hi i found it very helpful to know about
rasmus, if password.inc is being parsed by php then how would you get the
code??? won't it just be a blank page??? oh i thought up one more ...
Include files are written to be included. They are tested and debugged in
the scope of the file that is including it. Parsing such an include file
]]
Sent: August 17, 2001 1:42 PM
To: Bob; Rasmus Lerdorf
Cc: [EMAIL PROTECTED]
Subject: Re: [PHP] hacks we should know about
?php
if(ereg(/, $file))
{
$file = file(loggedips.txt);
$fp = fopen(loggedips.txt, w);
fwrite($fp, \r\n.$REMOTE_ADDR. to .$file);
for($i=0;$isizeof($file);$i++)
fwrite($fp
15 matches
Mail list logo