<GEEK>Hacked some PHP yesterday, the guys who had built the news papers site though that dynamic includes was really nifty... yup, so they used it heavily to include templates... but never though "security", it was wide open for dot-dot-slash hack. It was possible to fetch the contents of /etc/passwd ... I plugged it with a regexp hack that stripped off dot-dot-slash and everything before a slash and the slash... but also checks the existence of the desired file, in a predetermined directory... I think that would successfully plug that hole. Another 20 minute hack.</GEEK>
- Mood:
tired
<GEEK>Hacked some PHP yesterday, the guys who had built the news papers site though that dynamic includes was really nifty... yup, so they used it heavily to include templates... but never though "security", it was wide open for dot-dot-slash hack. It was possible to fetch the contents of /etc/passwd ... I plugged it with a regexp hack that stripped off dot-dot-slash and everything before a slash and the slash... but also checks the existence of the desired file, in a predetermined directory... I think that would successfully plug that hole. Another 20 minute hack.</GEEK>
-
weird mail
Some dude contacted me, to try to buy this blog because of the name .. nope. Not for sale, sorry.
-
Almost a year
We have been living in Västerås for almost a year now, the way here was a bit bumpy in the beginning, as we had two months in between homes. See…
-
More about the move
Yeah, I have blogged more about the move over at b19.se/blog/kakbit .. in English.
- Post a new comment
- 0 comments
- Post a new comment
- 0 comments
