Being safe on the internet (was Re: Here we go again - ISP DPI, but is it interception?)
Nicholas Bohm
nbohm at ernest.net
Wed Aug 4 11:53:29 BST 2010
Adrian Hayter wrote:
>> Yes, I certainly confused the two. What exactly does the "/../" syntax
>> do, and why does it matter to the host? (The article you link isn't
>> explicit enough for me to follow.)
>>
>> Nicholas
>> --
>> Contact and PGP key here <http://www.ernest.net/contact/index.htm>
>>
>
> Consider that the url http://example.com/stuff/morestuff/ pointed to
> the location /var/www/example.com/public/stuff/morestuff/ on a server.
> Doing a directory traversal on the url (such as:
> http://example.com/stuff/morestuff/../../../ ) would (on some insecure
> servers) get the location /var/www/example.com/. Now we know from the
> previous location that the directory 'public' is contained here, but
> so could some other directories, such as 'logs' or even important
> private information.
>
> As you can see, this would matter to the host, since a lot of
> webservers are configured to display the contents of directories when
> they do not come across a specified index file (such as index.html or
> index.php). If you have a folder that is meant to be publicly
> accessible, you do not want people to be able to traverse out of that
> directory and into one that contains private data.
Most helpful - thank you.
Taking the above example, could you explain the difference in effect
between http://example.com/stuff/morestuff/../../../ and
http://example.com/ <http://example.com/stuff/morestuff/>? Do they not
lead to the same location on the server, namely /var/www/example.com/?
Nicholas
--
Contact and PGP key here <http://www.ernest.net/contact/index.htm>
More information about the ukcrypto
mailing list