[thelist] style switcher in php?

Kevin p+evolt at redbrick.dcu.ie
Mon Nov 4 09:14:01 CST 2002


On Sun, Oct 27, 2002 at 12:28:19PM +1100, Lachlan Cannon wrote:
> David U. wrote:
> > Lachlan Cannon wrote:
> >>Geoff Sheridan wrote:
> >>I don't see how this is any different, apart from requiring one more
> >>level of .. than the other, and as long as the ? works like I'd think
> >>it would,

> > The ? is part of the PHP closing tag.

> No, the ? in the user submitted value. The user submits
> "../../password.pw?"thus making the file request read
> "/style/../../password.pw?.css".

Of course this whole point is fairly moot, given the PHP file doesn't display
the filename, it merely links to it.   So if someone doesn't have websever
privilidges to it, then they can't view it. The page will b0rk, but that's
just a little flaw rather thana security hole.


- Kevin



More information about the thelist mailing list