On Wed, 09 Feb 2011 16:18 -0800, "Jefferson Cowart" <[email protected]> wrote: > On 02/09/2011 09:54 AM, Steven Kurylo wrote: > >> I understand that, the problem I have is that there isn't any way for > >> unauthenticated users to upload files to this server.
How can you be sure? Does the software in question ever write any files? Can the content of those files be influenced from outside the system? Is every existing file on the system harmless if interpreted as PHP? That the software is using an "include" to retrieve what appears to be user data additionally gives me the heebeejeebies. I'd want to check that the files so generated cannot possibly contain PHP code. Little Bobby Tables might have a different "ethnic" name >:-}. http://xkcd.org/327/ - Stephen _______________________________________________ Tech mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
