|
Posted by Richard Lynch on 03/02/05 21:09
Bostjan Skufca @ domenca.com wrote:
> From system security's standpoint:
>
> <?php
> $content = file_get_contents('http://www.domain.net/file.inc');
> echo $content;
> ?>
>
> is OK, but
>
> <?php
> include('http://www.domain.net/file.inc');
> ?>
>
> is NOT!
>
> Nice patch, Tom, will probably use it myself too...
I'll be interested to see if it works in practice...
[see previous post of mine]
Ya never know.
I still haven't figured out why spam harvesters don't find even the
simplest obfuscations like %40 and @
But I guess if you come up with a billion fish every time you cast your
line, you don't worry about buying better bait.
I *suspect* this situation is different, in that you will have people
actively trying to alter their attacks to bypass this blockage, and it's
pretty simple to bypass.
But, perhaps, it will turn out to be that there are so many unpatched
wide-open places they can find that they'll never bother you again.
I sure hope so, for your sake!
--
Like Music?
http://l-i-e.com/artists.htm
Navigation:
[Reply to this message]
|