Reply to Re: Qustion on viewing code

Your name:

Reply:


Posted by dimo414 on 02/23/07 08:28

On Feb 22, 8:45 pm, "Steve" <no....@example.com> wrote:
> "Rik" <luiheidsgoe...@hotmail.com> wrote in message
>
> news:op.tn6pvcviqnv3q9@misant...| Steve <no....@example.com> wrote:
>
> | > find a server that parses all documents via php instead of by extension,
> | > ....
> | >
> | > it's not hard to hack any site...it just takes a bit of knowledge and
> | > some desire.
> |
> | And in this case, both an insane webserver setting and a either no or a
> | bogus check on files after upload... Usually it would be much, much
> harder.
>
> true. however sadly, *most* web servers (apache anyway) out there at least
> parse all documents through php even if the extension is different...things
> like .css or .jpg, or what have you. this is the critical part. as long as
> this is the configuration, you can find *many* ways to get your script onto
> their server. and you will have enough authorization to access any system
> directory that php has access to...even those not in the web root.
>
> this is not just a php issue, asp and others have the same problem. people
> are not ever as aware as they should be when it comes to security. myself
> included.

I personally always run uploaded images through a resize operation -
that would defeat your embedded php code, wouldn't it?

[Back to original message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация