http://rgaucher.info/ This is a technical blog around the web security and hopefully lots of technologies. There will be at least: Python, C++, Web, AJAX, CSS and JavaScript. I'd like to talk more about data-mining, operational research stuff, maybe more intelligent algorithm also... en Fri, 04 May 2012 15:43:23 -0400 All the content of this blog has been written by Romain Gaucher. Please add my blog URL if you quote me http://blogs.law.harvard.edu/tech/rss Dotclear http://rgaucher.info/post/2006/10/27/How-to-scan-for-basic-php-include-injection#c2802 urn:md5:89fc8d5096658d4c9b3623e23370b9fb Mon, 29 Sep 2008 15:04:44 -0400 romain <p>Wahou, I didn't even remember this post. Anyway, you're absolutely right; a solution is to prevetn path traversal for instance and also special characters inection such as NULL bytes, etc.</p> http://rgaucher.info/post/2006/10/27/How-to-scan-for-basic-php-include-injection#c2801 urn:md5:aa3cca696b4481c0a50a9add379cb083 Mon, 29 Sep 2008 13:56:11 -0400 lort <p>1st way is still exploitable in a way.</p> <p>instead of:<br /> www.mywebsite.com/index.php?page=myfile.html<br /> if i type:<br /> www.mywebsite.com/index.php?page=../../../../etc/passwd</p> <p>i will retrieve your passwd file or any other file i can think of.</p> <p>read the following blog post for details:<br /> www.0x000000.com/index.php?i=315</p> <p>----------------</p> <p>better use the second way,</p> <p>cheers</p>