Being safe on the internet (was Re: Here we go again - ISP DPI, but is it interception?)
Matthew Pemble
matthew at pemble.net
Wed Aug 4 12:10:46 BST 2010
On 4 August 2010 11:53, Nicholas Bohm <nbohm at ernest.net> wrote:
>
> Taking the above example, could you explain the difference in effect
> between http://example.com/stuff/morestuff/../../../ and
> http://example.com/ ? Do they not
> lead to the same location on the server, namely /var/www/example.com/?
>
>
Not quite - the first has 3 'parents' - so should aim you at the parent
directory above the defined webroot for example.com (which might be /var/www
or, more usually, /var/www/example.com/) and lead you, swiftly, to an error
page. The second should take you to the default file in the webroot
directory defined below /var/www/example.com - e.g. /var/www/
example.com/webroot/index.html.
I think? It always used to hurt my brain when doing this, especially once
you unicoded everything, so I generally used 'cut and paste' from a
pre-prepared attack script.
--
Matthew Pemble
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.chiark.greenend.org.uk/pipermail/ukcrypto/attachments/20100804/315e714d/attachment-0001.htm>
More information about the ukcrypto
mailing list