WebApp Sec mailing list archives

Re: htaccess with apache

From: "A.D.Douma" <addouma () home nl>
Date: Tue, 4 Nov 2003 20:38:10 +0100

Hello,

I had a similair problem with a cgi script that used a <input type='hidden'
name='success' value=succes.'html'> to point the clients browser to the
"transaction complete page".

Because of this an attacker could read every file on the webserver. Luckily
the /etc/passwd file was shadowed. My question is what else could an
attacker do? Would command execution be possible?

Thanks

Current thread:

htaccess with apache Hans Mueller (Nov 04)
- Re: htaccess with apache David Precious (Nov 04)
- Re: htaccess with apache Graham Lally (Nov 04)
  - Re: htaccess with apache Tim Greer (Nov 04)
    - Re: htaccess with apache A.D.Douma (Nov 04)
    - Re: htaccess with apache Tim Greer (Nov 04)
    - Re: htaccess with apache Sverre H. Huseby (Nov 04)
    - Re: htaccess with apache Tim Tompkins (Nov 04)
    - Re: htaccess with apache Lucas Holt (Nov 04)
    - Re: htaccess with apache A.D.Douma (Nov 05)
    - Re: htaccess with apache Graham Lally (Nov 04)
    - Re: htaccess with apache Tim Greer (Nov 04)
    - Re: htaccess with apache António Vasconcelos (Nov 05)
    - Re: htaccess with apache Tim Greer (Nov 05)
    - Re: htaccess with apache António Vasconcelos (Nov 06)

(Thread continues...)