[thelist] url specific session problem
elin tjerngren. artopod
elin at artopod.se
Wed Sep 17 11:30:36 CDT 2003
Hi Simon,
> This is unrelated to your problem, but does that URL mean that somewhere in
> your script you're doing this?
>
> include($_GET['page']);
>
> If so, you've got a HUGE security problem.
Yeah, it's stupid. Hmm - my fix to that was this,
if ($_GET['page']) {
$page=$rootdir.$_GET['page'];
}
The $page is then checked to be a real file, and the actual catalogues on
the server has .htaccess files with permission denied for all.
I think that might do it?
(Actually mod_rewrite is now up and running on the server so I might use
it in the future)
Regards,
/Elin, http://artopod.com
More information about the thelist
mailing list