I'm dealing with a website that was recently blocked by the webhost because pbsync was found on the server. I'd like for someone to give me 'a tutorial' if you will or guidance on how they are able to accomplish the below scenario..
index.php consist primarily of these tables with the following code:
^^Somehow because of this, the site is completely exploitable to requests like...
&
^^Basically with the above, the site is completely vulnerable to malicious scripts on the net!! I found the first to be a web face to run shell commands on the server, and the second to be r57shell 1.3.
I'd like to know, with the code shown above, what method is being used to allow for this type of an exploit and how can it be re-written to prevent it? I'm sure this is method is logged somewhere on the php.net but I'm not sure what the exact term is for the scripting method used. All I know is that it seems that they are using frames through php script and it's exploitable with the right URL request.
That's a cross-site scripting vulnerability at its finest. Are you asking how to prevent this on a design level? Never trust user-supplied data.
It's not clear what values for p you want to continue to allow, but the basic principle should be "deny everything except a well-known set" and so a simple implementation would be to default to accueil.html unless p is one from a small set of other pages you want to allow. (A simple but, on the face of it, reasonably safe generalization would be to only allow values for p which do not contain any slash, encoded or otherwise. But "encoded or otherwise" can constitute a large security hole, too. Are you sure you know all the ways a slash could end up as the result of URL parsing?)
Hi,
I'm trying to write a script to determine the time gap between HTTP PUT and HTTP DELETE requests in the HTTP Servers access log.
Normally client will do HTTP PUT to push content e.g. file_1.txt and 21 seconds later it will do HTTP DELETE, but sometimes the time varies causing some issues... (3 Replies)
Hi,
I need to disable HTTPD debugging method in one server. I added the entry 'TraceEnable off' in /etc/apache/httpd.conf.
I restart httpd for the changes to take effect, however I realize now that httpd is actually 'disabled'.
When I try to enable httpd, it shows the status as being in... (1 Reply)
Hypertext Transfer Protocol -- HTTP/1.1 for Reference - HTTP Headers
10 Status Code Definitions
Each Status-Code is described below, including a description of which method(s) it can follow and any metainformation required in the response. (1 Reply)
Hi all,
Need a help in PHP scripting.
Am automating a process in web page. The process is
1. i have to open that web page using the user credentials (Username and password).
2. select a drop down and click submit button.
3. Then check for the status of the page.
Please help me how to... (1 Reply)
hi
am senthil
am developing a software to send and receive SMS using HTTP connection
first of all am forming a URL and sending that URL to a remote server using my Client Program
i send that url through Socket(using Send() Function)
if i send more than one URL one by one using the same... (4 Replies)
Hello all.
This is my first post and thank you for your forum.
Here is my question.
I have a simple setup at home and I was capturing some data with wireshark.
Data between a workstation and the web server, requesting a page.
Simple enough.
Now when I open wireshark, I apply the TCP... (4 Replies)