|
Posted by Jerry Stuckle on 02/23/07 11:15
Steve wrote:
> "Rik" <luiheidsgoeroe@hotmail.com> wrote in message
> news:op.tn6pvcviqnv3q9@misant...
> | Steve <no.one@example.com> wrote:
> | > find a server that parses all documents via php instead of by extension,
> | > ....
> | >
> | > it's not hard to hack any site...it just takes a bit of knowledge and
> | > some desire.
> |
> | And in this case, both an insane webserver setting and a either no or a
> | bogus check on files after upload... Usually it would be much, much
> harder.
>
> true. however sadly, *most* web servers (apache anyway) out there at least
> parse all documents through php even if the extension is different...things
Do you have proof of this statement? I find just the opposite - very
few servers parse non-html files through PHP - and most of those who do
change when told about the security implications.
> like .css or .jpg, or what have you. this is the critical part. as long as
> this is the configuration, you can find *many* ways to get your script onto
> their server. and you will have enough authorization to access any system
> directory that php has access to...even those not in the web root.
>
> this is not just a php issue, asp and others have the same problem. people
> are not ever as aware as they should be when it comes to security. myself
> included.
>
>
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
[Back to original message]
|