Gordon Henderson schrieb:
> If the web server is running php, then this will work:
>
> <?
>
> $action = $HTTP_GET_VARS["action"] ;
> $file = $HTTP_GET_VARS["file"] ;
> $caller = $HTTP_GET_VARS["caller"] ;
>
> if (empty ($action) || empty ($file))
> die ("Something went wrong") ;
>
> // Open the file
>
> $fileName = "/prefix/" . $file ;
> $fd = @fopen ($fileName, "rb") ;
Without any validation of the filename?
It could be "../../secret/file".
Philipp Kempgen
--
http://www.das-asterisk-buch.de - http://www.the-asterisk-book.com
Amooma GmbH - Bachstr. 126 - 56566 Neuwied -> http://www.amooma.de
Geschäftsführer: Stefan Wintermeyer, Handelsregister: Neuwied B14998
--
_______________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
AstriCon 2008 - September 22 - 25 Phoenix, Arizona
Register Now: http://www.astricon.net
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
