Quote:
Originally posted by salo18
Geeez, we are talking about PHP security here.
My member area are coded in PHP, and im using htaccess to protect it. So I guess, before they can fuckup my memberarea they have to hack the htaccess part, right?
|
I could list the number of large adult companies I've seen broken through PHP scripting - rarely in the member's area. And even those times, it was trivial to exploit to gain access.
I'm not talking about gaining access to your member's area, I'm talking about gaining access to *your entire box*. If you can't grasp THIS concept, then don't even bother trying to code.
Example?
PHP Code:
<? include($_REQUEST['page'].".html"); ?>
How many times have you seen that.
http://www.lamesite.com/index.php?page=aboutus
That'd take 15 seconds to exploit to execute arbitrary PHP. Which then with a bit of system() trickery (or even using that mail() thing to bypass safe_mode) you're in with the Apache user.