From: "Alexander Mueller" <[EMAIL PROTECTED]>
> "Cpt John W. Holmes" wrote:
> >
> > The user can pass the name of a file on the server. If you're not doing
any
> > checks and moving or displaying the "file" the user "sent" you, you may
end
> > up moving, deleting, or displaying any file on your server.
> >
> > ---John Holmes...
>
> Thanks John, but only in the case global variables are active (as Marek
> mentioned), right?

I don't think so. Test this, but I think you can just type /etc/passwd into
the file name box (instead of using the "browse" button) and have that value
submitted in the form. May be dependent upon the browser on how it's
handled, though.

Either way, I can still construct a POST to your site using cURL or
something to "simulate" sending you a file with a name of a file on your
server.

So, validate that the file is actually an uploaded file and not a path to
something else. That's why the functions exist.

---John Holmes...

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to