|
|
Posted by shimmyshack on 02/23/07 02:35
On 23 Feb, 02:23, "Alan Larsson" <newsgr...@alstown.com> wrote:
> "shimmyshack" <matt.fa...@gmail.com> wrote in message
>
> news:1172193670.840327.125390@v33g2000cwv.googlegroups.com...
>
>
>
> > On 23 Feb, 01:12, Curtis <zer0d...@verizon.net> wrote:
> >> Alan Larsson wrote:
> >> > Is there a way i can look at the php code that is runnig a site,
> >> > without any
> >> > ind of admin access to the server?
>
> >> Unless there is a horrible server misconfiguration or the site has a
> >> serious scripting vulnerability, no.
>
> >> --
> >> Curtis,http://dyersweb.com
>
> > yes, probably but not for someone who provides no specifics and at
> > least attempts to justify it.
> > do no evil.
> > and you have to pay school fees by learning more about things before
> > you ask this kind of question, or you wont be respected enough to get
> > given the answers
>
> actually, I am being accused of stealing PHP code from a site.. and I did
> not think it was possible, so I asked the experts here.
Ah I see, well it didn't sound to me that you knew enough to do it, so
that's your strongest card.
Don't start getting interested in this area just for the sake of
showing you can't because it's a huge area and the answer to this
question is always YES probably. (even the ones with "hacker safe"
symbols.
Basically PHP code is designed never to be released to the end user,
any file on the server should be executed and only the results of the
php code sent to your browser, however there are times when people
make mistakes and the code can be downloaded. The only way you could
have accidentally stolen code via a browser is by accidentally finding
a publically available piece of code, which is NOT your fault. Even if
you did find this, it would be quite improbable that the site in
question could tell if you had. (Unless they use some kind of complex
outgoing filter that records but does not stop outgoing code release -
whereas filters of this kind are usually set up to stop code release)
I would say you are on balance very unlikely to be accused for very
long,
a) it shows a lack of professionalism on their part to be releasing
code which they later regret.
b) whereas however they are saying "they know" you did it, which shows
a degree of skill they probably don't have as (a) shows
Just ask for evidence. But don't claim it "isn't possible" because it
usually is possible to launch an attack, there are so may ways to do
it. For more advice and info ask "OWASP or web app sec" they have to
deal with these kinds of complaints and threats on a regular basis
when they reveal vulnerabilities on sites. In general if you see
something wrong the advice is don't report it, unless you have reason
to believe you will escape subsequent action.
Navigation:
[Reply to this message]
|