|
Posted by Steve on 02/23/07 04:45
"Rik" <luiheidsgoeroe@hotmail.com> wrote in message
news:op.tn6pvcviqnv3q9@misant...
| Steve <no.one@example.com> wrote:
| > find a server that parses all documents via php instead of by extension,
| > ....
| >
| > it's not hard to hack any site...it just takes a bit of knowledge and
| > some desire.
|
| And in this case, both an insane webserver setting and a either no or a
| bogus check on files after upload... Usually it would be much, much
harder.
true. however sadly, *most* web servers (apache anyway) out there at least
parse all documents through php even if the extension is different...things
like .css or .jpg, or what have you. this is the critical part. as long as
this is the configuration, you can find *many* ways to get your script onto
their server. and you will have enough authorization to access any system
directory that php has access to...even those not in the web root.
this is not just a php issue, asp and others have the same problem. people
are not ever as aware as they should be when it comes to security. myself
included.
[Back to original message]
|