herme3 Posted October 27, 2005 Posted October 27, 2005 I've noticed that you can make a folder appear to be a file with an extension. For example, you can create a folder called folder.txt and it will still be a folder. Now, couldn't this be a security problem if you do this on a web site? My web host does not allow me to put an extension on a folder name. However, wouldn't some web hosts allow you to create something like http://www.(sitename).com/picture.gif and most people will think it is a picture file, while Internet Explorer recognizes it is a folder? Therefore, it will begin looking for index.html in the folder, which could contain a picture and hidden code? I'm worried about people signing up for banner advertising services, and giving the banner service a link to a .gif folder. The banner service will think it is a harmless banner image, but someone could be placing tracking code in an index.html file in the .gif folder. If this banner opens on a web site that requires users to enter secure information, couldn't this be a problem?
1veedo Posted October 28, 2005 Posted October 28, 2005 My server will let you put "file extentions" in folders and I think it's only for Unix type servers. Windows might have a problem with that. What you seem to be overlooking is that the same security risk is already in place for banner adds. It doesn't have to be an index of a folder, an image can be (as these forums demonstrate) somethinlike immage.php?image=whatever. PHP has the ability to create images. When you get right down to it there could be index.php in the folder image.gif that would output a gif. I used to have a little banner for another forum in my sig that would display people IP address. But yeah, this is a security risk. An inocent banner add can put a cookie on your computer, log information, and do anything a normal PHP file could. This is why there's options for browsers to block "3rd party" cookies and whatnot.
Klaynos Posted October 29, 2005 Posted October 29, 2005 This is also an issue with images in emails which is why you should either block images in emails or not open anything that is suspiciouse.
Cap'n Refsmmat Posted October 29, 2005 Posted October 29, 2005 I'd like to point out that the Apache webserver has a simple little thing that you can also take advantage of: http://www.example.com/script.php/image'>http://www.example.com/script.php/image is equivalent to http://www.example.com/script.php
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now