Quoting steve miller <[EMAIL PROTECTED]>:
Still confused on a few things:
PHP uploads to a temp directory and then you need a script to move the
file. In oscommerce, there is no way for someone to access the upload
scripts unless they have access to the protected admin directory first.
So, how do they get the bad stuff into an open directory in the first
place?
Depends how well that directory is protected.
A simple test - create a file on your local machine with a form that
has the same fields as the "upload" form in the admin directory and
point it at the file on the server.
Try to upload using the form on the local machine. If this works,
then that's probably how it was hacked.
Any page I write that is in a protected directory asks for the session
authentication before it does anything else - it's not foolproof but
it does help.
M.
--
Matthew Macdonald-Wallace
[EMAIL PROTECTED]
http://www.truthisfreedom.org.uk/
____ The WDVL Discussion List from WDVL.COM ____
To Join wdvltalk, Send An Email To: mailto:[EMAIL PROTECTED] or
use the web interface http://e-newsletters.internet.com/discussionlists.html/
Send Your Posts To: wdvltalk@lists.wdvl.com
To change subscription settings, add a password or view the web interface:
http://intm-dl.sparklist.com/read/?forum=wdvltalk
________________ http://www.wdvl.com _______________________
You are currently subscribed to wdvltalk as: [EMAIL PROTECTED]
To unsubscribe send a blank email to [EMAIL PROTECTED]
To unsubscribe via postal mail, please contact us at:
Jupitermedia Corp.
Attn: Discussion List Management
475 Park Avenue South
New York, NY 10016
Please include the email address which you have been contacted with.