@ratcatemeOct 16.2008 — #i can't see how i could change the directory unless the folder the script is in has a folder in it that starts with an _ other wise it breaks almost every good coding practice related to unlink()
you should validate it first check for slashes and stuff.
properly best to make it so the user can't enter the file for deletion but get that info from a database so no user input is in your unlink command or if it is it is heavily screened before you put it in.
@ayveghauthorOct 16.2008 — #I know it breaks all the rules, but I'm trying to give an example of exploiting via that example (!) and I need a case example.
(What I mean to say is, that I need an example of a query string which exploits that code by doing something malicious. ?)
@NogDogOct 16.2008 — #Not sure if a backspace character could be sent to overwrite that underscore or not, e.g.: <i> </i>script_name.php?id=&#37;09..%2F..%2F..%2Fsomefile.txt%00
@ayveghauthorOct 16.2008 — #Not sure if a backspace character could be sent to overwrite that underscore or not, e.g.: <i> </i>script_name.php?id=&#37;09..%2F..%2F..%2Fsomefile.txt%00 [/QUOTE] Interesting idea; I will test it.
Is there any way to inject another function into there by ending the unlink() prematurely, similar to SQL Injection?
@NogDogOct 16.2008 — #Interesting idea; I will test it.
Is there any way to inject another function into there by ending the unlink() prematurely, similar to SQL Injection?
Thanks again.[/QUOTE]
I don't see how in that case. It's not like you're eval()-ing the value, you're just unlink()-ing whatever value is received. Now if it was an include() call instead of unlink(), that might be a different story.
@ayveghauthorOct 16.2008 — #I don't see how in that case. It's not like you're eval()-ing the value, you're just unlink()-ing whatever value is received. Now if it was an include() call instead of unlink(), that might be a different story.[/QUOTE] Oh well. ?