From: "PHP Junkie" <[EMAIL PROTECTED]>
As my link to the download file, I changed it to
<a href=\"imsafm_user_dl.php?F=imsafm/$user/$myrow[filename]\"><img src=b_newtbl.png border=0></a>
And changed the code in the download file to
<?php header("Content-Description: File Transfer"); header("Content-Type: application/force-download"); header("Content-Disposition: attachment; filename=".basename($F)); @readfile($F); ?>
How are you validating $F and ensuring it's not a path to any file on your server?
imsafm_user_dl.php?F=/home/path/to/secret/file.txt
It's a File Manager application, so I guess it's supposed to be accessible only to administrators that have (s)ftp access anyway.
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
