Being safe on the internet (was Re: Here we go again - ISP DPI, but is it interception?)

Roland Perry lists at
Wed Aug 4 14:29:22 BST 2010

In article <4C594882.7070200 at>, Nicholas Bohm 
<nbohm at> writes

>> ".." normally (i.e. in common Unix and Microsoft filesystems) means
>> "parent directory" - so "cd .." should take you back up one level in
>> the filesystem. However. a well-engineered (and configured) webserver
>> should never provide information outside of the "webroot" - either
>> returning an error (RFC compliant behaviour - I'd guess at a 403
>> error) or simply returning the default page (normal behaviour).


>That suggests to me that entering a URL designed to exploit a weakness
>in order to get "behind" the root of a server for a particular site is
>doing something very different from truncating a URL in order to explore
>a site.  I can much more easily see why it might be concluded a
>particular user knew it was unauthorised.

I agree that these are very different activities. And will therefore 
fail to lose sleep when experimenting with truncated urls which are 
*below* (rather than *above*) the root of a server.
Roland Perry

More information about the ukcrypto mailing list