It could present a problem depending on how the permissions are setup
on the shared hosting and if open_base is in effect.
If they can get the /etc/shadow file from a php being ran by apache
then you have an issue, because apache would be
running as root. Take the below example.
include('templates/".$_GET['page'].".php);
Even if you had the ability to include remote files turned on you
wouldn't be able to pull one. What you can do is pull anything
the webserver is allowed to view (ie /etc/passwd). While that doesn't
contain any passwords it lets people know valid system
logins. You can get the contents to dump by using
www.somehost.com/index.php?page=../../../../../../../../../etc/passwd%00
The %00 is what you call a null terminator. This will drop anything
that's add after it. I hope this helps.
William Betts
On Nov 15, 2007 4:03 PM, Instruct ICC <instructicc@xxxxxxxxxxx> wrote:
>
> > > I think file_exists returns false for remote files ;)
> >
> > Even if it did (it doesn't:
> > http://uk3.php.net/manual/en/wrappers.ftp.php), I'd still rather not let
> > someone steal my /etc/passwd or /etc/shadow etc. files.....
> >
> > As I said before. Some form of regexp or similar restriction is 100%
> > necessary before trusting untrustworthy data.
> >
> > Col
>
> 1 test I did confirmed the "false" for the remote files.
>
> How about that shared host hack attempt? Does that present a problem for shared hosts?
>
> This should be my last post to this list from hotmail. Hopefully I'll see you all nicely threaded with gmail. That's where I keep my other lists anyway.
>
>
> _________________________________________________________________
> Help yourself to FREE treats served up daily at the Messenger Café. Stop by today.
> http://www.cafemessenger.com/info/info_sweetstuff2.html?ocid=TXT_TAGLM_OctWLtagline
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
