Re: Can anybody communicate with the operating system without the phpserver?
This is a discussion on Re: Can anybody communicate with the operating system without the phpserver? within the PHP Language forums, part of the PHP Programming Forums category; > It's certainly possible, but how would they have found your directory? I > would triple-check my own ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
02-28-2008
|
|||
|
|||
Re: Can anybody communicate with the operating system without the phpserver?
> It's certainly possible, but how would they have found your directory? I
> would triple-check my own script first to make sure there were no holes > before I started looking for zebras. There are not so much to check. The only php-command which can save files (or the only that I use) is "move_uploaded_file". Among all my php scripts there is only one which contains this command. And the command is used in the following way: $uploadfile = $id."_tmp.jpg"; move_uploaded_file($_FILES['user_file']['tmp_name'], $uploadfile); So, if a user uploads a file with the usage of my php-script it (file) will be saved in my directory under a name which end with "_tmp.jpg". However, in the directory I found I found files which ends with .php. So I can conclude that a hacker either used another php script (not mine) or could create a file in my directory without a usage of a php- script. 
|
Linear Mode
