Re: securing — PHP Programming Language — IT news, forums, messages

You are here: Re: securing « PHP Programming Language « IT news, forums, messages

Posted by Jerry Stuckle on 03/29/06 13:51

Frank Mutze wrote:
> hello
>
> Is there a method to forbid an attacker to exploit download.php
> in grabbing some "sensitive" file ?
>
> I mean using that kind of trick
>
> download.php?filename=../../../../../../../../../../../../etc/passwd
>
> thanks you

1. Validate the path and filename being downloaded
2. Don't run the webserver as root
3. Let Unix security help you.

Or, better yet - don't let them input the filename being downloaded. Rather,
give them a list of files and let them select. But don't give them the
filenames themselves - just descriptions. Look up the filenames when they
select which file they want to download.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Navigation:

Next in forum: Re: PhP database design question
Prev in forum: Re: Retrieving special characters
Thread view: Re: securing

[Reply to this message]

Удаленная работа для программистов • Как заработать на Google AdSense • England, UK • статьи на английском • PHP MySQL CMS Apache Oscommerce • Online Business Knowledge Base • DVD MP3 AVI MP4 players codecs conversion help

Home • Search • Site Map • Set as Homepage • Add to Favourites

Сайт изготовлен в Студии Валентина Петручека —
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация