Being safe on the internet (was Re: Here we go again - ISP DPI, but is it interception?)
lists at internetpolicyagency.com
Wed Aug 4 14:29:22 BST 2010
In article <4C594882.7070200 at ernest.net>, Nicholas Bohm
<nbohm at ernest.net> writes
>> ".." normally (i.e. in common Unix and Microsoft filesystems) means
>> "parent directory" - so "cd .." should take you back up one level in
>> the filesystem. However. a well-engineered (and configured) webserver
>> should never provide information outside of the "webroot" - either
>> returning an error (RFC compliant behaviour - I'd guess at a 403
>> error) or simply returning the default page (normal behaviour).
>That suggests to me that entering a URL designed to exploit a weakness
>in order to get "behind" the root of a server for a particular site is
>doing something very different from truncating a URL in order to explore
>a site. I can much more easily see why it might be concluded a
>particular user knew it was unauthorised.
I agree that these are very different activities. And will therefore
fail to lose sleep when experimenting with truncated urls which are
*below* (rather than *above*) the root of a server.
More information about the ukcrypto