girtsn Posted March 4, 2004 Report Share Posted March 4, 2004 Probleema sekojosha - php saturs lapaa include 'archive/' . $logi; kur logi var padot kaa parametru. Protams, ka varu includot citus failus uz taa pasha servera ne tikai archive folderii. Jautaajums - vai var iedot taadu $logi (izmantojot, piemeeram \0 vai %00 charu), ka refereejas uz citu lapu? Nekas nelegaals, tikai interese :) Link to comment Share on other sites More sharing options...
Gacha Posted March 5, 2004 Report Share Posted March 5, 2004 Paskaidro bikiņ vairāk, grūti izprast ko tu gribi! (20% sapratu) Link to comment Share on other sites More sharing options...
girtsn Posted March 5, 2004 Author Report Share Posted March 5, 2004 Paskaidroshu :) http://elfai.com/mpm_chat_25/view.php?logi=../config.php php saturs: <html> <body BGCOLOR="#99CCFF"> <title>MPM Log viewer</title> <?php if ($logi != '') { include 'archive/' . $logi; } else { echo $lang_log_nolog; } ?><hr> <i> <?php echo $lang_log_example; ?> </i><br> <form action="view.php" method="post"> <input name="logi" size="10"> <input type="submit" value=" Submit "> </form> </body> </html> taatad, vai ar to, ka ir rindinja include 'archive/' . $logi; tieshaam ir iespeejams izsleegt, ka tiek ielaadeeti skripti no citaam lapaam (cross site scripting tb). Vai tad shis nav droshiibas caurums (var tachu includot citus failus ar mainiigaa paliidziibu) ? Tikai interese :) Link to comment Share on other sites More sharing options...
rnc Posted March 5, 2004 Report Share Posted March 5, 2004 Nebuus iespeejams inkluudot no citaam lapaam. Link to comment Share on other sites More sharing options...
Recommended Posts