This method uploads .htaccess files to change how the server behaves. The nice trick here is that the file itself:
- Allows the .htaccess files to be displayed
- Tells Apache that the contents of the .htaccess files must be interpreted by PHP (the file itself will be executed by the PHP interpreter)
- The last part of the file contains PHP code that will pass commands to the operative system.
As a side note, the author also comments that this trick can also be applied to jsp and mod_perl installations.
Some information on securing file uploads, from OWASP.
No comments:
Post a Comment