<br><br><div class="gmail_quote">On 4 August 2010 11:53, Nicholas Bohm <span dir="ltr"><<a href="mailto:nbohm@ernest.net">nbohm@ernest.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div><div></div><br></div>
Taking the above example, could you explain the difference in effect<br>
between <a href="http://example.com/stuff/morestuff/../../../" target="_blank">http://example.com/stuff/morestuff/../../../</a> and<br>
<a href="http://example.com/" target="_blank">http://example.com/</a> ? Do they not<br>
lead to the same location on the server, namely /var/www/<a href="http://example.com/" target="_blank">example.com/</a>?<br>
<div><div></div><div class="h5"><br></div></div></blockquote><div><br>Not quite - the first has 3 'parents' - so should aim you at the parent directory above the defined webroot for <a href="http://example.com">example.com</a> (which might be /var/www or, more usually, /var/www/<a href="http://example.com/">example.com/</a>) and lead you, swiftly, to an error page. The second should take you to the default file in the webroot directory defined below /var/www/<a href="http://example.com">example.com</a> - e.g. /var/www/<a href="http://example.com/webroot/index.html">example.com/webroot/index.html</a>.<br>
<br></div></div>I think? It always used to hurt my brain when doing this, especially once you unicoded everything, so I generally used 'cut and paste' from a pre-prepared attack script.<br clear="all"><br>-- <br>Matthew Pemble<br>
<br><br>