|
Posted by shimmyshack on 02/23/07 18:58
On 23 Feb, 18:38, "Steve" <no....@example.com> wrote:
> "Rik" <luiheidsgoe...@hotmail.com> wrote in message
>
> news:op.tn7q1znlqnv3q9@misant...| shimmyshack <matt.fa...@gmail.com> wrote:
> | Rik <luiheidsgoe...@hotmail.com> wrote:
>
> | >> Rik <luiheidsgoe...@hotmail.com> wrote:
> | >> > shimmyshack <matt.fa...@gmail.com> wrote:
> | >> >> This is the only statement in my httpd.conf:
> | >>
> | >> >> AddType application/x-httpd-php .php
> | >>
> | >> >> and yet the attack works.
> | >> >> The server doesnt have to be set up to parse every doc for php, that
> | >> >> was an assumption.
> | >> >> Has anyone here tried it on their server?
> | >>
> | >> > Attack does not work here on the local server....
> | >>
> | >> And the live server is also safe :-)
> | >
> | > out of interest what are you running, is php a module, ta.
> |
> | Homebox:
> | W2K, Apache 2.2.2, PHP 5.1.4 as a module.
> |
> | Live server:
> | FreeBSD 5.3, Apache 2.0.54, PHP 4.4.2 (yes, still, goddamnit) as a module.
>
> lol. it feels that way some times don't it. ;^)
steve with regards your previous offer, the phrase "i'm not worthy"
flashes into my shrivelled brain. Although of course it would be fun,
have you taken a look at the great CAL9000 stuff from RSnake (http://
www.owasp.org/index.php/Category:OWASP_CAL9000_Project)? While not
specifically aimed at server side pen testing, it is the vector by
which your code could be introduced.
[Back to original message]
|