|
|
Posted by Ivαn Sαnchez Ortega on 11/12/12 11:38
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
windandwaves wrote:
> If I have a file in the public html directory (e.g. mypage.php) then can
> anyone read this file (i.e. read its actual content rather then the
> interpreted contents it returns when someone opens
> www.myurl.com/mypage.php)?
Not in most cases. As it has been already said, .php files are interpreted
and run, not read, if the webserver configuration is right.
> If so, how do they do that?
A way to circumvent this is to make use of some unsecure script that is able
to read files from the server and output it to the client with no or little
checks, something like:
www.myurl.com/download.php?file=../../mypage.php
www.myurl.com/download.php?file=../../../etc/passwd
- --
- ----------------------------------
IvΓ‘n SΓ‘nchez Ortega -i-punto-sanchez--arroba-mirame-punto-net
http://acm.asoc.fi.upm.es/~mr/ ; http://acm.asoc.fi.upm.es/~ivan/
MSN:i_eat_s_p_a_m_for_breakfast@hotmail.com
Jabber:ivansanchez@jabber.org ; ivansanchez@kdetalk.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFD3UGQ3jcQ2mg3Pc8RAi40AJ9lvrg5A/oW6MPGkQq7SM7DCeSyIgCffGTw
r182OPuOJZtW21YG9g59g3g=
=ut0r
-----END PGP SIGNATURE-----
Navigation:
[Reply to this message]
|