Being safe on the internet (was Re: Here we go again - ISP DPI, but is it interception?)
matthew at pemble.net
Wed Aug 4 12:10:46 BST 2010
On 4 August 2010 11:53, Nicholas Bohm <nbohm at ernest.net> wrote:
> Taking the above example, could you explain the difference in effect
> between http://example.com/stuff/morestuff/../../../ and
> http://example.com/ ? Do they not
> lead to the same location on the server, namely /var/www/example.com/?
Not quite - the first has 3 'parents' - so should aim you at the parent
directory above the defined webroot for example.com (which might be /var/www
or, more usually, /var/www/example.com/) and lead you, swiftly, to an error
page. The second should take you to the default file in the webroot
directory defined below /var/www/example.com - e.g. /var/www/
I think? It always used to hurt my brain when doing this, especially once
you unicoded everything, so I generally used 'cut and paste' from a
pre-prepared attack script.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the ukcrypto