Re: [wdvltalk] writeable directories

Wed, 26 Nov 2008 07:27:35 -0800 

Makes sense :)
A lot of what I deal with is for clients who want pre-written applications installed, and I guess I'll just have to check first to see how uploaded files are being handled. 

Thanks!




On Nov 26, 2008, at 10:20 AM, David Precious wrote:


Matthew Macdonald-Wallace wrote:

Quoting steve miller <[EMAIL PROTECTED]>:

Still confused on a few things:

PHP uploads to a temp directory and then you need a script to  
move the
file. In oscommerce, there is no way for someone to access the  
upload
scripts unless they have access to the protected admin directory  
first.
So, how do they get the bad stuff into an open directory in the  
first

place?

Depends how well that directory is protected.

A simple test - create a file on your local machine with a form  
that has the same fields as the "upload" form in the admin  
directory and point it at the file on the server.
Try to upload using the form on the local machine.  If this works,  
then that's probably how it was hacked.



Agreed, that's a simple test (ensure you're not logged in when you  
try it though, obviously).





Any page I write that is in a protected directory asks for the  
session authentication before it does anything else - it's not  
foolproof but it does help.


Indeed - authentication/authorisation should always be checked first.


I think that, due to the way CGI file uploads work, the file will  
always be uploaded to the web server, but to a temporary directory  
somewhere; as long as the script it was POSTed to does /not/ move  
the file from that temporary location to wherever it wanted to put  
it before checking the user is authorised, all should be fine, and  
the temporary file should get deleted automatically when the  
request is over with.


Cheers

David P



____ • The WDVL Discussion List from WDVL.COM • ____
To Join wdvltalk, Send An Email To: mailto:[EMAIL PROTECTED] or
use the web interface http://e-newsletters.internet.com/discussionlists.html/
      Send Your Posts To: wdvltalk@lists.wdvl.com
To change subscription settings, add a password or view the web interface:
http://intm-dl.sparklist.com/read/?forum=wdvltalk

________________  http://www.wdvl.com  _______________________

You are currently subscribed to wdvltalk as: [EMAIL PROTECTED]
To unsubscribe send a blank email to [EMAIL PROTECTED]
To unsubscribe via postal mail, please contact us at:
Jupitermedia Corp.
Attn: Discussion List Management
475 Park Avenue South
New York, NY 10016

Please include the email address which you have been contacted with.






















					Reply via email to