[geeklog-devel] PDF feature....
dirk at haun-online.de
Wed Jun 9 12:29:17 EDT 2004
>This code also deserves a look from the security perspective.
function PDF_servePDF() should check the path before attempting the download.
I've managed to download a PDF from some place outside of the webserver's
webtree. For non-PDF files, it at least tells me if that file exists or
not. There may be ways to trick it into downloading non-PDF files, too.
And even if that is not possible, it at least enables me to snoop around
on the webserver.
More information about the geeklog-devel