[CentOS] case insensitive file system
Kai Schaetzl
maillists at conactive.com
Wed Apr 30 15:27:18 UTC 2008
Ruslan Sivak wrote on Wed, 30 Apr 2008 10:29:25 -0400:
> And inside index.php it does something like
>
> <? include($_GET['page'].".php") ?>
>
> This is a gross simplification, but it's my understanding that if the
> file was named 'foo.php' and someone typed in
>
> http://www.domain.com/index.php?action=Foo
did you mean page=Foo ?
I hope that was really just an example. If you take that input unchecked
and include other files with it your security is non-existant.
>
> It would still work on windows, but not on linux because of case
> sensitivity.
Simple: downcase all variable input that you need for further processing.
If it's not external input, but your application simply does not
differentiate between cases and sometimes includes "Somepage.php" and
sometimes" somepage.php" that is really bad programming and it's also
easily solved by a find/replace. Nothing big.
Kai
--
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
More information about the CentOS
mailing list