[OWASP_PHPSEC] Sample Application based on PHPSEC

Abbas Naderi abiusx at owasp.org
Sat Oct 12 14:36:31 UTC 2013


Local File Disclosure.
Assume that $Requests is ../../../../../../etc/passwd
-A
______________________________________________________________
Notice: This message is digitally signed, its source and integrity are verifiable.
If you mail client does not support S/MIME verification, it will display a file (smime.p7s), which includes the X.509 certificate and the signature body.  Read more at Certified E-Mail with Comodo and Thunderbird in AbiusX.com

On Oct 11, 2013, at 10:01 PM, rahul chaudhary <rahul300chaudhary400 at gmail.com> wrote:

> I searched for LFD attacks, couldn't find much..what is it ??
> 
> 
> On Fri, Oct 11, 2013 at 9:51 PM, Abbas Naderi <abiusx at owasp.org> wrote:
> Yes but it allows LFD attacks.
> -A
> ______________________________________________________________
> Notice: This message is digitally signed, its source and integrity are verifiable.
> If you mail client does not support S/MIME verification, it will display a file (smime.p7s), which includes the X.509 certificate and the signature body.  Read more at Certified E-Mail with Comodo and Thunderbird in AbiusX.com
> 
> On Oct 11, 2013, at 6:03 PM, rahul chaudhary <rahul300chaudhary400 at gmail.com> wrote:
> 
>> is this correct ?
>> 
>>         protected function StaticContent($Request)
>> 	{
>> 		if (!realpath(__DIR__."/../static/{$Request}"))
>> 			return require_once (__DIR__ . "/../../view/default/404.php");
>> 		else
>> 		{
>> 			\phpsec\DownloadManager::download(__DIR__ . "/../static/{$Request}");
>> 		}
>> 	}
>> 
>> This is working correctly .....
>> 
>> 
>> On Wed, Oct 9, 2013 at 10:40 PM, rahul chaudhary <rahul300chaudhary400 at gmail.com> wrote:
>> ok will do....u got me scared...:D
>> 
>> 
>> On Wed, Oct 9, 2013 at 10:36 PM, Abbas Naderi <abiusx at owasp.org> wrote:
>> It does, but its overly complicated. Dare look at it.
>> -A
>> 
>> ______________________________________________________________
>> Notice: This message is digitally signed, its source and integrity are verifiable.
>> If you mail client does not support S/MIME verification, it will display a file (smime.p7s), which includes the X.509 certificate and the signature body.  Read more at Certified E-Mail with Comodo and Thunderbird in AbiusX.com
>> 
>> On Oct 9, 2013, at 10:24 PM, rahul chaudhary <rahul300chaudhary400 at gmail.com> wrote:
>> 
>>> yeah...I saw that.....I was trying to write code for that but couldn't understand what to do exactly...does jFramework contains code for static controller? 
>>> 
>>> 
>>> On Wed, Oct 9, 2013 at 10:17 PM, Abbas Naderi <abiusx at owasp.org> wrote:
>>> Hello
>>> I haven't done the static controller part yet :| if you look at front controller code, that section is empty :D
>>> Ping me back in the weekend, and I promise to finish it and polish it as well!
>>> -Abbas
>>> ______________________________________________________________
>>> Notice: This message is digitally signed, its source and integrity are verifiable.
>>> If you mail client does not support S/MIME verification, it will display a file (smime.p7s), which includes the X.509 certificate and the signature body.  Read more at Certified E-Mail with Comodo and Thunderbird in AbiusX.com
>>> 
>>> On Oct 9, 2013, at 10:00 PM, rahul chaudhary <rahul300chaudhary400 at gmail.com> wrote:
>>> 
>>>> Hello All,
>>>> 
>>>> Its been a long time...huh
>>>> 
>>>> So, these past few days, I started making a sample application based on PHPSEC, to see what would the developers feel like using the framework...for most cases, it was good.
>>>> 
>>>> But, whenever I try to attach something (CSS, JS , Images etc files) in the html pages, then it doesn't gets attached. I am not sure why that is...
>>>> 
>>>> e.g. <img src='someloacation/image.png' />     //this does not work.
>>>> 
>>>> So, can you guys help me on this....
>>>> and btw, the sample application is located in:
>>>> https://github.com/rash805115/rnj
>>>> 
>>>> 
>>>> -- 
>>>> Regards,
>>>> Rahul Chaudhary
>>>> Ph - 412-519-9634
>>>> _______________________________________________
>>>> OWASP_PHP_Security_Project mailing list
>>>> OWASP_PHP_Security_Project at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp_php_security_project
>>> 
>>> 
>>> 
>>> 
>>> -- 
>>> Regards,
>>> Rahul Chaudhary
>>> Ph - 412-519-9634
>> 
>> 
>> 
>> 
>> -- 
>> Regards,
>> Rahul Chaudhary
>> Ph - 412-519-9634
>> 
>> 
>> 
>> -- 
>> Regards,
>> Rahul Chaudhary
>> Ph - 412-519-9634
> 
> 
> 
> 
> -- 
> Regards,
> Rahul Chaudhary
> Ph - 412-519-9634

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_php_security_project/attachments/20131012/4a1bf5d4/attachment-0001.html>


More information about the OWASP_PHP_Security_Project mailing list