09-24-2008
That's a cross-site scripting vulnerability at its finest. Are you asking how to prevent this on a design level? Never trust user-supplied data.
It's not clear what values for p you want to continue to allow, but the basic principle should be "deny everything except a well-known set" and so a simple implementation would be to default to accueil.html unless p is one from a small set of other pages you want to allow. (A simple but, on the face of it, reasonably safe generalization would be to only allow values for p which do not contain any slash, encoded or otherwise. But "encoded or otherwise" can constitute a large security hole, too. Are you sure you know all the ways a slash could end up as the result of URL parsing?)
6 More Discussions You Might Find Interesting
1. IP Networking
Hello all.
This is my first post and thank you for your forum.
Here is my question.
I have a simple setup at home and I was capturing some data with wireshark.
Data between a workstation and the web server, requesting a page.
Simple enough.
Now when I open wireshark, I apply the TCP... (4 Replies)
Discussion started by: squaresphere
4 Replies
2. Shell Programming and Scripting
hi
am senthil
am developing a software to send and receive SMS using HTTP connection
first of all am forming a URL and sending that URL to a remote server using my Client Program
i send that url through Socket(using Send() Function)
if i send more than one URL one by one using the same... (4 Replies)
Discussion started by: senkerth
4 Replies
3. Programming
Hi all,
Need a help in PHP scripting.
Am automating a process in web page. The process is
1. i have to open that web page using the user credentials (Username and password).
2. select a drop down and click submit button.
3. Then check for the status of the page.
Please help me how to... (1 Reply)
Discussion started by: vidhyaS
1 Replies
4. Web Development
Hypertext Transfer Protocol -- HTTP/1.1 for Reference - HTTP Headers
10 Status Code Definitions
Each Status-Code is described below, including a description of which method(s) it can follow and any metainformation required in the response. (1 Reply)
Discussion started by: Neo
1 Replies
5. Solaris
Hi,
I need to disable HTTPD debugging method in one server. I added the entry 'TraceEnable off' in /etc/apache/httpd.conf.
I restart httpd for the changes to take effect, however I realize now that httpd is actually 'disabled'.
When I try to enable httpd, it shows the status as being in... (1 Reply)
Discussion started by: anaigini45
1 Replies
6. Shell Programming and Scripting
Hi,
I'm trying to write a script to determine the time gap between HTTP PUT and HTTP DELETE requests in the HTTP Servers access log.
Normally client will do HTTP PUT to push content e.g. file_1.txt and 21 seconds later it will do HTTP DELETE, but sometimes the time varies causing some issues... (3 Replies)
Discussion started by: Juha
3 Replies
LEARN ABOUT DEBIAN
filezilla
filezilla(1) FileZilla Manual filezilla(1)
NAME
FileZilla - FTP client
SYNOPSIS
filezilla
filezilla [-l <logontype>] <FTP URL>
filezilla -h|-s|-v
filezilla -c <site>
DESCRIPTION
FileZilla is a powerful client for plain FTP, FTP over SSL/TLS (FTPS) and the SSH File Transfer Protocol (SFTP).
OPTIONS
-c <site>, --site <site>
Connect to the given site from the Site Manager. Site has to be given as complete path, with a slash as separation character. Any
slash or backslash that is part of a segment has to be escaped with a backslash. Path has to be prefixed with 0 for user defined
entries or 1 for default entries. Site path may not contain double quotation marks.
Example: filezilla -c 0/foo/bar/sl/ash connects to the user site sl/ash in the site directory foo/bar
May not be used together with -s nor with URL parameter.
-h, --help
Displays a help dialog listing these commandline options.
-l <logontype>, --logontype <logontype>
Set a special logontype, can only be used in combination with a FTP URL as argument.
Logontype has to be either ask or interactive. If -l isn't given, the normal logontype is used.
-s, --sitemanager
Start with Site Manager opened. May not be used together with -c nor with URL parameter.
-v, --version
Display version number of FileZilla.
ENVIRONMENT
The FZ_DATADIR environment variable can be used to specify the directory containing FileZilla's data files.
SUPPORT
Please visit http://filezilla-project.org/ for further information. Report bugs only if you are using the latest version available from the
FileZilla website.
COPYRIGHT
Copyright (C) 2004-2010 Tim Kosse
FileZilla is distributed under the terms of the GNU General Public License version 2 or later.
SEE ALSO
fzdefaults.xml(5)
April 2008 filezilla(1)