[Gllug] PHP - no visible directory

Russell Howe rhowe at siksai.co.uk
Tue Nov 21 23:42:16 UTC 2006


On Tue, Nov 21, 2006 at 11:31:48PM +0000, ft wrote:
> Hello, 
> 

[...]

> html-link on the website
> <a href="index.php?file=file.pdf">Link for download</a>
> 
> PHP-script
> <?
> $dir = "./dir1/dir2/";
> $download = $dir.$file;

ACK ACK ACK

Do not construct paths in this way without at least checking that the
resulting path is not based in $dir!

Also, never ever ever use register_globals!

What if someone asks for

index.php?file=../../../../var/www/somewhere/.htpasswd

You're asking for a directory traversal vulnerability.

Also, just in case you hadn't heard of them, check up on things like
XSS, SQL injection and exploits related to misparsing of obscure
character encodings, to name just a few.

> # What is the command, to send the file to the client?

some form of open(), read() and write(), althoguh no doubt PHP provides
something like sendfile()

> ?>

-- 
Russell Howe       | Why be just another cog in the machine,
rhowe at siksai.co.uk | when you can be the spanner in the works?
-------------- next part --------------
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug


More information about the GLLUG mailing list