Posted by Steve on 02/23/07 14:11

"shimmyshack" <matt.farey@gmail.com> wrote in message
news:1172237010.074652.97530@k78g2000cwa.googlegroups.com...
| On 23 Feb, 11:15, Jerry Stuckle <jstuck...@attglobal.net> wrote:
| > Steve wrote:
| > > "Rik" <luiheidsgoe...@hotmail.com> wrote in message
| > >news:op.tn6pvcviqnv3q9@misant...
| > > | Steve <no....@example.com> wrote:
| > > | > find a server that parses all documents via php instead of by
extension,
| > > | > ....
| > > | >
| > > | > it's not hard to hack any site...it just takes a bit of knowledge
and
| > > | > some desire.
| > > |
| > > | And in this case, both an insane webserver setting and a either no
or a
| > > | bogus check on files after upload... Usually it would be much, much
| > > harder.
| >
| > > true. however sadly, *most* web servers (apache anyway) out there at
least
| > > parse all documents through php even if the extension is
different...things
| >
| > Do you have proof of this statement? I find just the opposite - very
| > few servers parse non-html files through PHP - and most of those who do
| > change when told about the security implications.
| >
| > > like .css or .jpg, or what have you. this is the critical part. as
long as
| > > this is the configuration, you can find *many* ways to get your script
onto
| > > their server. and you will have enough authorization to access any
system
| > > directory that php has access to...even those not in the web root.
| >
| > > this is not just a php issue, asp and others have the same problem.
people
| > > are not ever as aware as they should be when it comes to security.
myself
| > > included.
| >
| > --
| > ==================
| > Remove the "x" from my email address
| > Jerry Stuckle
| > JDS Computer Training Corp.
| > jstuck...@attglobal.net
| > ==================
|
| This is the only statement in my httpd.conf:
|
| AddType application/x-httpd-php .php
|
| and yet the attack works.
| The server doesnt have to be set up to parse every doc for php, that
| was an assumption.

not an assumption...just a high-level, objective scenario that others may be
able to understand.

| Has anyone here tried it on their server?

probably not. :(

• Next in forum: check if file was downloaded
• Prev in forum: Re: mysql_real_escape_string();
• Thread view: Re: Qustion on viewing code

[Reply to this message]