You are missing our premiere tool bar navigation system! Register and use it for FREE!

NukeCops  
•  Home •  Downloads •  Gallery •  Your Account •  Forums • 
Readme First
- Readme First! -

Read and follow the rules, otherwise your posts will be closed
Modules
· Home
· FAQ
· Buy a Theme
· Advertising
· AvantGo
· Bookmarks
· Columbia
· Community
· Donations
· Downloads
· Feedback
· Forums
· PHP-Nuke HOWTO
· Private Messages
· Search
· Statistics
· Stories Archive
· Submit News
· Surveys
· Theme Gallery
· Top
· Topics
· Your Account
Who's Online
There are currently, 73 guest(s) and 1 member(s) that are online.

You are Anonymous user. You can register for free by clicking here
Nuke Cops :: View topic - PHP-Nuke Upload and Execution of Arbitrary Code [ ]
 Forum FAQ  •  Search  •   •  Memberlist  •  Usergroups   •  Register  •  Profile •    •  Log in to check your private messages  •  Log in

PHP-Nuke Upload and Execution of Arbitrary Code
Goto page Previous  1, 2		  
Post new topic  Reply to topicprinter-friendly view Nuke Cops Forum Index » Nuke Security
View previous topic Log in to check your private messages View next topic
Author Message
Zhen-Xjell
Nuke Cops Founder
Nuke Cops Founder


Joined: Nov 14, 2002
Posts: 5939
PostPosted: Fri Oct 31, 2003 9:22 am Reply with quoteBack to top
No however, we'll be issuing a new code addition, and will ask FBC to include into the mainfile. It is:

Code:
function SanitizePath($inpath) {
         $outpath = ereg_replace("\.[\.]+", "", $inpath);
         $outpath = ereg_replace("^[\/]+", "", $outpath);
         $outpath = ereg_replace)"^[A-Za-z][:\|][\/]?", "", $outpath);
         return($outpath);
}


This is a code snippet from the "Beginning PHP 4", ISBN: 1-861003-73-0. This was located by IACOJ and its something we need to start integrating into the mainfile.php. I'll be passing this or something similar to Francisco.

_________________
Paul Laudanski, Microsoft MVP Windows-Security
CastleCops: [de] [en] [wiki]
Find all posts by Zhen-XjellView user's profileSend private messageSend e-mailVisit poster's website
Jeruvy
Lieutenant
Lieutenant


Joined: Jul 09, 2003
Posts: 293
PostPosted: Sun Nov 02, 2003 7:44 am Reply with quoteBack to top
Is this going to work in a unix environment? What if the dir has '65' in it? IMHO for this code to work properly one needs to decide when to use it. Using it arbitrarily will break normal directory traversals (images/avatars for instance) in my mind.

Hmm...this has me thinking anyways...

J.

_________________
J.
j e r u v y a t y a h o o d o t c o m
Find all posts by JeruvyView user's profileSend private messageICQ Number
Zhen-Xjell
Nuke Cops Founder
Nuke Cops Founder


Joined: Nov 14, 2002
Posts: 5939
PostPosted: Mon Nov 03, 2003 3:00 pm Reply with quoteBack to top
Yes it'll work in both platforms.

_________________
Paul Laudanski, Microsoft MVP Windows-Security
CastleCops: [de] [en] [wiki]
Find all posts by Zhen-XjellView user's profileSend private messageSend e-mailVisit poster's website
Display posts from previous:      
Post new topic  Reply to topicprinter-friendly view Nuke Cops Forum Index » Nuke Security
View previous topic Log in to check your private messages View next topic
Goto page Previous  1, 2 You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group

Ported by Nuke Cops © 2003 www.nukecops.com
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::
Powered by · TOGETHER TEAM srl ITALY http://www.togetherteam.it · DONDELEO E-COMMERCE http://www.DonDeLeo.com
Web site engine's code is Copyright © 2002 by PHP-Nuke. All Rights Reserved. PHP-Nuke is Free Software released under the GNU/GPL license.
Page Generation: 0.180 Seconds - 297 pages served in past 5 minutes. Nuke Cops Founded by Paul Laudanski (Zhen-Xjell)
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::