Well topic.. i found a serious danger in my script... the can view the config file of my web server and gain with it access to pwds.. so how to disable ../ in the URL?
ex URL:
website/openfile.php?file=../../../../../some_passwords.file&filter=0&filtertype=NONE
and my code:
<?php
error_reporting(0);
$tmpfilename = $_GET['file'];
$filtertype = $_GET['filtertype'];
$filter = $_GET['filter'];
$filename = "tmp/$tmpfilename";
if(file_exists("$filename")){
$lines = file("$filename");
$found = "0";
foreach ($lines as $line) {
$line = rtrim($line);
if(!strlen($filter) || $filter == "0"){
print("$line<BR>\n");
$found = "1";
}else{
if($filtertype == "pm"){
if(stristr($line,"do $filter(") || stristr($line,"[PrivMSG] $filter(")){
print("$line<BR>\n");
$found = "1";
}
}else{
print("$line<BR>\n");
$found = "1";
}
}
}
if($found == "1"){
}else{
print("Nie ma co wyswietlic... <BR>");
}
unlink("$filename");
include("count2.php");
$f=fopen("count2.php","w+");
$num = (int)$count2;
$result = $num+1;
fputs($f,"<?php \$count2 = $result; ?>");
fclose($f);
}else{
echo("Plik juz za stary lub usuniety");
}
?>sorry if i double posted the topic but i think something got wrong..
