the-miz
asked on
Directory traversal vulnerability
I have come across a security issue on a linux web server. If someone enters the following in the address bar of a web browser:
http://web.page.com/index.php?page=../../../../../../etc/passwd
They can view this file. I have since removed the web server from public access. The php script was internally created to be a helpdesk support site. What can be done to the server to make sure no one can call this command and view other directories on the server?
http://web.page.com/index.php?page=../../../../../../etc/passwd
They can view this file. I have since removed the web server from public access. The php script was internally created to be a helpdesk support site. What can be done to the server to make sure no one can call this command and view other directories on the server?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks!
You're welcome.
You could also check safe_mode (http://php.net/safe_mode)
and open_basedir (http://php.net/open-basedi r).
You could also check safe_mode (http://php.net/safe_mode)
and open_basedir (http://php.net/open-basedi
ASKER
Image2.jpg