Being safe on the internet (was Re: Here we go again - ISP DPI, but is it interception?)
Adrian Hayter
adrianhayter at gmail.com
Wed Aug 4 11:41:45 BST 2010
> Yes, I certainly confused the two. What exactly does the "/../" syntax
> do, and why does it matter to the host? (The article you link isn't
> explicit enough for me to follow.)
>
> Nicholas
> --
> Contact and PGP key here <http://www.ernest.net/contact/index.htm>
>
Consider that the url http://example.com/stuff/morestuff/ pointed to the location /var/www/example.com/public/stuff/morestuff/ on a server. Doing a directory traversal on the url (such as: http://example.com/stuff/morestuff/../../../ ) would (on some insecure servers) get the location /var/www/example.com/. Now we know from the previous location that the directory 'public' is contained here, but so could some other directories, such as 'logs' or even important private information.
As you can see, this would matter to the host, since a lot of webservers are configured to display the contents of directories when they do not come across a specified index file (such as index.html or index.php). If you have a folder that is meant to be publicly accessible, you do not want people to be able to traverse out of that directory and into one that contains private data.
-Adrian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.chiark.greenend.org.uk/pipermail/ukcrypto/attachments/20100804/fcbbc504/attachment-0001.htm>
More information about the ukcrypto
mailing list