<?php
if(ereg("/", $file))
{
$file = file("loggedips.txt");
$fp = fopen("loggedips.txt", "w");
fwrite($fp, "\r\n".$REMOTE_ADDR." to ".$file);
for($i=0;$i<sizeof($file);$i++)
fwrite($fp, $file[$i]);
fclose($fp);
die("Hack attempt...IP Logged");
}
else
showsource($file);
?>
----- Original Message -----
From: "Bob" <[EMAIL PROTECTED]>
To: "Rasmus Lerdorf" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Friday, August 17, 2001 2:17 PM
Subject: Re: [PHP] hacks we should know about
> rasmus, if password.inc is being parsed by php then how would you get the
> code??? won't it just be a blank page??? oh i thought up one more ...
>
> 4. checking for html tags and php scripting when accepting data from text
> boxes
>
>
> Rasmus Lerdorf wrote:
>
> > > hi i found it very helpful to know about hacks such as the below list
> > > and was wondering if anyone had any more dumb mistakes they could tell
> > > us before we make them.
> > >
> > > 1. http://www.somesite.com/source.php3?url=/etc/passwd
> > > 2. http://www.somesite.com?page=../../../../etc/passwd
> > > 3. not setting .inc files to be parsed by php
> >
> > This is the wrong solution to securing include files. The correct
> > solution is to block any direct access to .inc files by either putting
> > them outside your document root or by using an Apache deny rule.
> >
> > -Rasmus
>
>
> _________________________________________________________
> Do You Yahoo!?
> Get your free @yahoo.com address at http://mail.yahoo.com
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
