On Mon, September 25, 2006 7:52 am, Miles Thompson wrote:
> $filenam = $_REQUEST["filenam"];
> if ($filenam){
> $contents = file_get_contents( "../above_root/" .
> $filenam );
> echo $contents;
> }else{
> echo "Not found";
> }

I certainly hope this is not ALL of the script...

Imagine, if you will, that somebody surfs to this URL:
http://example.com/above_script.php?.../../etc/passwd

By the rules of Linux, they've just downloaded your passwd file, which
has all your usernames in it.

That's a Bad Thing, as they then can look for an easy password in
those accounts.

Sanitize your data!

PS Not to mention that file_get_contents() will suck the ENTIRE 60Mb
file into RAM, which is exactly what the OP needs to avoid... :-)

--
Like Music?
http://l-i-e.com/artists.htm