On Tue, Feb 03, 2004 at 11:28:57AM +0100, Cedric Cochin wrote: > - -- HTTP Request -- > > http://[target]/[phpMyAdmin_directory]/export.php?what=../../../../../../etc/passwd%00 > > - -- HTTP Request -- That's what "php_value include_path" is for. Most Sites running phpmyadmin probably have users which not only can manage their databases, but also put up php-code as they like. And of course they can upload things like that: http://seegras.discordia.ch/Programs/phpdir Cheers Peter Keel -- Operator in charge of Security Tel +41 1 287 2993 Cyberlink Internet Services AG Fax +41 1 287 2991 Richard Wagnerstrasse 6 admin@cyberlink.ch CH-8002 Zuerich http://www.cyberlink.ch
