This thread is still alive? :)
What you see is what you include. André was mistaken. That is the lesson. And there is
no danger. If there was, folks would have stopped using PHP long ago.
In my case, I'm hijacking my own script on another server. I'm doing it only because I
don't have access
Ok so on this topic, I do something similar to this with my scripts, and if
my includes are vulnerable... I need to know how?
I have tested this and the includes parse the information as it includes it,
I can't see the code, so how is this possible where you say:
{
If someone were to
On Sun, 2004-02-08 at 04:14, PHP Email List wrote:
Ok so on this topic, I do something similar to this with my scripts, and if
my includes are vulnerable... I need to know how?
I have tested this and the includes parse the information as it includes it,
I can't see the code, so how is this
The security hole is probably not existant in my opinion.
PHP is (normaly) parsed by the remote server(no source viewable) and the
result is being included, not the source.
When http://.../script.php?var=value; was mentioned, it implies the
script is being parsed remotedly so that the http
Hi,
As andrew has said there is no risk here. What you will see is the
parsed output (if the webserver has PHP installed) If this is indeed a
vulerability we can just add lines similar to
include(http://elsewhere.com/list.php;);
in our code and be able to easily view other peoples php
On Sun, 2004-02-08 at 08:27, Andrew Séguin wrote:
A test to confirm that, is to point the browser to the address being
included. See the source? vulnerable. See the results? not vulnerable.
If you do not see 'source' then what are you including? For example the
following script could be
: Sunday, February 08, 2004 11:49 AM
To: Andrew Séguin
Cc: PHP Email List; [EMAIL PROTECTED]
Subject: Re: [PHP] Revised: RE: [PHP] Re: Can I do this?
On Sun, 2004-02-08 at 08:27, Andrew Séguin wrote:
A test to confirm that, is to point the browser to the address being
included. See the source
Nope i see the server parsed output. Try loading the url directly in
your browser!! what you see is what you get when you include.
Adam Bregenzer wrote:
On Sun, 2004-02-08 at 08:27, Andrew Séguin wrote:
A test to confirm that, is to point the browser to the address being
included. See the
On Sun, 2004-02-08 at 18:23, PHP Email List wrote:
I am going to be running some more tests, but so far all of the testing that
I have done running a http request is parsing the include files. I have even
checked a broswser based ftp request and nothing shows for the php file.
I'd be
9 matches
Mail list logo