On 05/20/2010 02:47 PM, Solar Designer wrote: > That's correct, except for the "only ... into the home directory" part. > In practice, this restriction may apply most of the time, but there are > scenarios where a download into another directory could also allow for > an attack. For example, a cron job on a web hosting account may use > wget to update a file below the "document root". An attack would be to > provide an .htaccess file instead.
Hm... a problem with this is that it also applies to the case when someone is recursively-fetching, and the remote server is (even accidentally) misconfigured to include .htaccess in auto-generated indexes (and to allow public reading of that file). No obvious way to avoid that situation that I can think of... might be worth documenting somewhere. -- Micah J. Cowan http://micah.cowan.name/
