Makes sense :)
A lot of what I deal with is for clients who want pre-written
applications installed, and I guess I'll just have to check first to
see how uploaded files are being handled.
Thanks!
On Nov 26, 2008, at 10:20 AM, David Precious wrote:
Matthew Macdonald-Wallace wrote:
Quoting steve miller <[EMAIL PROTECTED]>:
Still confused on a few things:
PHP uploads to a temp directory and then you need a script to
move the
file. In oscommerce, there is no way for someone to access the
upload
scripts unless they have access to the protected admin directory
first.
So, how do they get the bad stuff into an open directory in the
first
place?
Depends how well that directory is protected.
A simple test - create a file on your local machine with a form
that has the same fields as the "upload" form in the admin
directory and point it at the file on the server.
Try to upload using the form on the local machine. If this works,
then that's probably how it was hacked.
Agreed, that's a simple test (ensure you're not logged in when you
try it though, obviously).
Any page I write that is in a protected directory asks for the
session authentication before it does anything else - it's not
foolproof but it does help.
Indeed - authentication/authorisation should always be checked first.
I think that, due to the way CGI file uploads work, the file will
always be uploaded to the web server, but to a temporary directory
somewhere; as long as the script it was POSTed to does /not/ move
the file from that temporary location to wherever it wanted to put
it before checking the user is authorised, all should be fine, and
the temporary file should get deleted automatically when the
request is over with.
Cheers
David P
____ The WDVL Discussion List from WDVL.COM ____
To Join wdvltalk, Send An Email To: mailto:[EMAIL PROTECTED] or
use the web interface http://e-newsletters.internet.com/discussionlists.html/
Send Your Posts To: wdvltalk@lists.wdvl.com
To change subscription settings, add a password or view the web interface:
http://intm-dl.sparklist.com/read/?forum=wdvltalk
________________ http://www.wdvl.com _______________________
You are currently subscribed to wdvltalk as: [EMAIL PROTECTED]
To unsubscribe send a blank email to [EMAIL PROTECTED]
To unsubscribe via postal mail, please contact us at:
Jupitermedia Corp.
Attn: Discussion List Management
475 Park Avenue South
New York, NY 10016
Please include the email address which you have been contacted with.