I'll test!
Sure hope it's not this easy, because it means that directory
permissions are not going to stop anything :(
On Nov 26, 2008, at 10:09 AM, Matthew Macdonald-Wallace wrote:
Quoting steve miller <[EMAIL PROTECTED]>:
Still confused on a few things:
PHP uploads to a temp directory and then you need a script to move
the
file. In oscommerce, there is no way for someone to access the upload
scripts unless they have access to the protected admin directory
first.
So, how do they get the bad stuff into an open directory in the first
place?
Depends how well that directory is protected.
A simple test - create a file on your local machine with a form
that has the same fields as the "upload" form in the admin
directory and point it at the file on the server.
Try to upload using the form on the local machine. If this works,
then that's probably how it was hacked.
Any page I write that is in a protected directory asks for the
session authentication before it does anything else - it's not
foolproof but it does help.
M.
--
____ The WDVL Discussion List from WDVL.COM ____
To Join wdvltalk, Send An Email To: mailto:[EMAIL PROTECTED] or
use the web interface http://e-newsletters.internet.com/discussionlists.html/
Send Your Posts To: [email protected]
To change subscription settings, add a password or view the web interface:
http://intm-dl.sparklist.com/read/?forum=wdvltalk
________________ http://www.wdvl.com _______________________
You are currently subscribed to wdvltalk as: [EMAIL PROTECTED]
To unsubscribe send a blank email to [EMAIL PROTECTED]
To unsubscribe via postal mail, please contact us at:
Jupitermedia Corp.
Attn: Discussion List Management
475 Park Avenue South
New York, NY 10016
Please include the email address which you have been contacted with.
