Re: Can anybody communicate with the operating system without the php server?
- From: Fro <showandbeshown@xxxxxxxxx>
- Date: Thu, 28 Feb 2008 15:20:07 -0800 (PST)
It's certainly possible, but how would they have found your directory? I
would triple-check my own script first to make sure there were no holes
before I started looking for zebras.
There are not so much to check. The only php-command which can save
files (or the only that I use) is "move_uploaded_file". Among all my
php scripts there is only one which contains this command. And the
command is used in the following way:
$uploadfile = $id."_tmp.jpg";
move_uploaded_file($_FILES['user_file']['tmp_name'], $uploadfile);
So, if a user uploads a file with the usage of my php-script it (file)
will be saved in my directory under a name which end with "_tmp.jpg".
However, in the directory I found I found files which ends with .php.
So I can conclude that a hacker either used another php script (not
mine) or could create a file in my directory without a usage of a php-
script.
.
- Prev by Date: Re: Can anybody communicate with the operating system without the php server?
- Next by Date: How to check if something is a sub-directory?
- Previous by thread: Re: Can anybody communicate with the operating system without the php server?
- Next by thread: ISSET() question
- Index(es):
Relevant Pages
|
