[thelist] url specific session problem

Simon Willison cs1spw at bath.ac.uk
Wed Sep 17 12:36:34 CDT 2003

elin tjerngren. artopod wrote:
>>This is unrelated to your problem, but does that URL mean that somewhere in
>>your script you're doing this?
>>If so, you've got a HUGE security problem. 
> Yeah, it's stupid. Hmm - my fix to that was this,
> if ($_GET['page']) {
> 	$page=$rootdir.$_GET['page'];
> }

That doesn't protect you completely, as attackers can still do something 
like this:


A more reliable method would be to use the basename() function. This 
strips any directory information from a string, but unfortunately that 
means that in your case it would strip off the directory information 
that you want to keep.

> The $page is then checked to be a real file, and the actual catalogues on 
> the server has .htaccess files with permission denied for all.

Unfortunately .htaccess files won't prevent a script from include()ing a 
file that is in that directory - the .htaceess file only governs direct 
requests from web browsers, but doesn't have any effect on internal 
calls to a file from within PHP.

Best regards,


More information about the thelist mailing list