WebApp Sec mailing list archives
Re: htaccess with apache
From: "A.D.Douma" <addouma () home nl>
Date: Tue, 4 Nov 2003 20:38:10 +0100
Hello, I had a similair problem with a cgi script that used a <input type='hidden' name='success' value=succes.'html'> to point the clients browser to the "transaction complete page". Because of this an attacker could read every file on the webserver. Luckily the /etc/passwd file was shadowed. My question is what else could an attacker do? Would command execution be possible? Thanks
Current thread:
- htaccess with apache Hans Mueller (Nov 04)
- Re: htaccess with apache David Precious (Nov 04)
- Re: htaccess with apache Graham Lally (Nov 04)
- Re: htaccess with apache Tim Greer (Nov 04)
- Re: htaccess with apache A.D.Douma (Nov 04)
- Re: htaccess with apache Tim Greer (Nov 04)
- Re: htaccess with apache Sverre H. Huseby (Nov 04)
- Re: htaccess with apache Tim Tompkins (Nov 04)
- Re: htaccess with apache Lucas Holt (Nov 04)
- Re: htaccess with apache A.D.Douma (Nov 05)
- Re: htaccess with apache Tim Greer (Nov 04)
- Re: htaccess with apache Graham Lally (Nov 04)
- Re: htaccess with apache Tim Greer (Nov 04)
- Re: htaccess with apache António Vasconcelos (Nov 05)
- Re: htaccess with apache Tim Greer (Nov 05)
- Re: htaccess with apache António Vasconcelos (Nov 06)