Yes, I shouldMordred wrote:Yes it would work, perhaps you should try it first?
Just a similar example about using prefixes...Mordred wrote:And what does register_globals have to do with this at all?
Moderator: General Moderators
Code: Select all
include("contents/pre_XXX/../../contents/secret.txt");Code: Select all
root@mail:/www/ipclassify.relef.net# ls contents/pre_XXX/../../contents/secret.txt
/usr/bin/ls: contents/pre_XXX/../../contents/secret.txt: No such file or directoryCode: Select all
php -v
PHP 5.2.1 (cli) (built: Mar 30 2007 00:22:49)
Copyright (c) 1997-2007 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend TechnologiesNo, it is not ...Zoxive wrote:That is normal ../ behavior. Thats what i was trying to say the hole time. Instead I wasn't saying `XXX` i was saying Just `/`.
What helped out on your server was you have Magic Quotes on, and the Suffix of `.txt` So only .txt files on your server could of been included.
Code: Select all
$a = trim('/.', preg_replace('/[^a-zA-Z0-9\-\_\.\/]/', '', $_GET['a']));
$path = $base . $a . $extension;
if (file_exists($path)) [
include $path;
} else {
// error
}arborint wrote:Code: Select all
$a = trim('/.', preg_replace('/[^a-zA-Z0-9\-\_\.\/]/', '', $_GET['a'])); $path = $base . $a . $extension; if (file_exists($path)) [ include $path; } else { // error }