72 Reader Comments

1. 

   Jakks 1:56 pm on August 18, 2003

   Just a quick note. I finally pu this system into use and I discovered another security leak. For Example I have a directory with these files and directories:

   index.php
   aboutus
   thisismusic
   secretstuff

   And you go to:

   http://www.domain.com/index.php?p=aboutus/index

   Everything goes well, seeing as how folders and directory structure are still compatable with this system. BUT if you have a password protected directory(secretstuff) and someone types:

   http://www.domain.com/index.php?p=secretstuff/index

   They will immediately gain acess bypassing the security check…Does anyone know a way around this? I am actually using it to my advantage right now, but it is useful knowledge.

   Jakks

   Embed
   Copy & paste the code below to embed this comment. <figure class="embedded-quote" id="ala-embedded-comment-321242"><blockquote> <p>Just a quick note. I finally pu this system into use and I discovered another security leak. For Example I have a directory with these files and directories:</p><p>index.php<br />aboutus<br />thisismusic<br />secretstuff</p><p>And you go to:</p><p>http://www.domain.com/index.php?p=aboutus/index</p><p>Everything goes well, seeing as how folders and directory structure are still compatable with this system. <span class="caps">BUT</span> if you have a password protected directory(secretstuff) and someone types:</p><p>http://www.domain.com/index.php?p=secretstuff/index</p><p>They will immediately gain acess bypassing the security check…Does anyone know a way around this? I am actually using it to my advantage right now, but it is useful knowledge.</p><p>Jakks</p></blockquote><figcaption>— Jakks on <a href="http://alistapart.com/comments/phpcms#321242">Manage Your Content With PHP</a></figcaption></figure> <script async data-comment="321242" charset="utf-8" src="http://d.alistapart.com/_/js/comment-embed.min.js"></script>
2. 

   2:46 pm on September 24, 2003

   never use redirects throug the URL. Some one could do http://domain.tld/goto.php?s=/usr/var

   Embed
   Copy & paste the code below to embed this comment. <figure class="embedded-quote" id="ala-embedded-comment-321243"><blockquote> <p>never use redirects throug the <span class="caps">URL</span>. Some one could do http://domain.tld/goto.php?s=/usr/var</p></blockquote><figcaption>— on <a href="http://alistapart.com/comments/phpcms#321243">Manage Your Content With PHP</a></figcaption></figure> <script async data-comment="321243" charset="utf-8" src="http://d.alistapart.com/_/js/comment-embed.min.js"></script>