468,272 Members | 2,159 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 468,272 developers. It's quick & easy.

hack this code :)

hi all,

would you please help me find any security flaw in this code (if any)?
thank you so much

http://paste.uni.cc/9829

bye

--
NoWhereMan
-- NoWhereBlog: www.nowhereland.it
-- deviantArt: http://nowhereland.deviantart.com
-- Giochi a BiteFight? http://bitefight.nowhereland.it/
-- Vagisil migliora la tua vita intima: www.vagisil.com/teencenter.shtml
Sep 3 '06 #1
4 1382
"NoWhereMan" <no********@PLEASEDONTSPAMMEdespammed.comwrote in message
news:1a****************************@40tude.net...
hi all,

would you please help me find any security flaw in this code (if any)?
thank you so much

http://paste.uni.cc/9829

bye

--
NoWhereMan
-- NoWhereBlog: www.nowhereland.it
-- deviantArt: http://nowhereland.deviantart.com
-- Giochi a BiteFight? http://bitefight.nowhereland.it/
-- Vagisil migliora la tua vita intima: www.vagisil.com/teencenter.shtml
Hi.

If you don't post defaults.php, there's is no telling if there really is a
security flaw.
Sep 3 '06 #2
on Sun, 3 Sep 2006 13:37:35 +0200, Hans 'pritaeas' Pollaerts wrote:
If you don't post defaults.php, there's is no telling if there really is a
security flaw.
defaults.php defines only the constants you read in the code :)

define('IMAGES_DIR', 'fp-content/content/mages');
define('ATTACHS_DIR', 'fp-content/content/attachs');

plus others you don't need to know here...
nothing else

bye :)

--
NoWhereMan
-- NoWhereBlog: www.nowhereland.it
-- deviantArt: http://nowhereland.deviantart.com
-- Giochi a BiteFight? http://bitefight.nowhereland.it/
-- Vagisil migliora la tua vita intima: www.vagisil.com/teencenter.shtml
Sep 3 '06 #3
NoWhereMan wrote:
would you please help me find any security flaw in this code (if any)?
thank you so much

http://paste.uni.cc/9829
I assume you have properly set your base dir restriction directive in your
php.ini file to handle cases where $_REQUEST['f'] would be defined as
'../someprivatedir/dbconnect.php'?

JW
Sep 3 '06 #4
on Sun, 3 Sep 2006 14:03:23 +0200, Janwillem Borleffs wrote:
NoWhereMan wrote:
>would you please help me find any security flaw in this code (if any)?
thank you so much

http://paste.uni.cc/9829

I assume you have properly set your base dir restriction directive in your
php.ini file to handle cases where $_REQUEST['f'] would be defined as
'../someprivatedir/dbconnect.php'?

JW
actually I can't as I don't own the webserver (and as the script is
suppsoed to be distributed), and that's why I've put these lines:

if (strpos($name, '..')!==false || strpos($name,'/')!==false)
die('Invalid file name!');

--
NoWhereMan
-- NoWhereBlog: www.nowhereland.it
-- deviantArt: http://nowhereland.deviantart.com
-- Giochi a BiteFight? http://bitefight.nowhereland.it/
-- Vagisil migliora la tua vita intima: www.vagisil.com/teencenter.shtml
Sep 3 '06 #5

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

reply views Thread by Market Mutant | last post: by
reply views Thread by zimba | last post: by
3 posts views Thread by Haines Brown | last post: by
reply views Thread by Thomas Mlynarczyk | last post: by
2 posts views Thread by Ing. Rajesh Kumar | last post: by
5 posts views Thread by Nmx | last post: by
reply views Thread by Xah Lee | last post: by
7 posts views Thread by badc0de4 | last post: by
reply views Thread by NPC403 | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.