|
Posted by shimmyshack on 02/23/07 13:23
On 23 Feb, 11:15, Jerry Stuckle <jstuck...@attglobal.net> wrote:
> Steve wrote:
> > "Rik" <luiheidsgoe...@hotmail.com> wrote in message
> >news:op.tn6pvcviqnv3q9@misant...
> > | Steve <no....@example.com> wrote:
> > | > find a server that parses all documents via php instead of by extension,
> > | > ....
> > | >
> > | > it's not hard to hack any site...it just takes a bit of knowledge and
> > | > some desire.
> > |
> > | And in this case, both an insane webserver setting and a either no or a
> > | bogus check on files after upload... Usually it would be much, much
> > harder.
>
> > true. however sadly, *most* web servers (apache anyway) out there at least
> > parse all documents through php even if the extension is different...things
>
> Do you have proof of this statement? I find just the opposite - very
> few servers parse non-html files through PHP - and most of those who do
> change when told about the security implications.
>
> > like .css or .jpg, or what have you. this is the critical part. as long as
> > this is the configuration, you can find *many* ways to get your script onto
> > their server. and you will have enough authorization to access any system
> > directory that php has access to...even those not in the web root.
>
> > this is not just a php issue, asp and others have the same problem. people
> > are not ever as aware as they should be when it comes to security. myself
> > included.
>
> --
> ==================
> Remove the "x" from my email address
> Jerry Stuckle
> JDS Computer Training Corp.
> jstuck...@attglobal.net
> ==================
This is the only statement in my httpd.conf:
AddType application/x-httpd-php .php
and yet the attack works.
The server doesnt have to be set up to parse every doc for php, that
was an assumption.
Has anyone here tried it on their server?
[Back to original message]
|