[geeklog-devel] PDF feature....

Dirk Haun dirk at haun-online.de
Wed Jun 9 12:29:17 EDT 2004


>This code also deserves a look from the security perspective.

function PDF_servePDF() should check the path before attempting the download. 

I've managed to download a PDF from some place outside of the webserver's
webtree. For non-PDF files, it at least tells me if that file exists or
not. There may be ways to trick it into downloading non-PDF files, too.
And even if that is not possible, it at least enables me to snoop around
on the webserver.

bye, Dirk


More information about the geeklog-devel mailing list