> > > /?file=../../../../../../proc/self/environ%00 HTTP Response 200 > > > /?mod=../../../../../../proc/self/environ%00 HTTP Response 200 > > > /?page=../../../../../../proc/self/environ%00 HTTP Response 200 > > > > It should be reasonably straightforward to try going to those urls > > yourself and see if it works. > > It's even more straightforward to believe the logging is not broken and > believe the 200 response code.
That seems like a leap of faith. Hit any static directory page on your own web site (such as ones provided by index.html), provide a URL parameter like those agove, and see if it gives you a error. You probably won't, since any parameters supplied that aren't used are just going to be ignored. Or maybe I misunderstood what you're trying to say... Testing this attack for yourself is the key. tim _______________________________________________ PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug
