Slashdot Mirror
Top 10 Vulnerabilities in Web Applications
sverrehu writes "The Open Web Application Security
Project (OWASP) has released a well-written document that is a
must read for every web programmer out there. This security document
is not about firewalls, encryption and patching. It's about common,
highly exploitable errors made by the application programmers. Pick
up your copy of "The Ten Most Critical Web Application Security
Vulnerabilities" from the OWASP web site."
one of my favorites is index.php?p=blah.php where you can easily replace blah.php with something a little more interesting, such as /etc/passwd
I've emailed several people notifying them of this problem but not one single person changed their code.
Unfortunately, they forgot:
.jpg, the application allows the user to upload a file of any name.
-Application allows user to upload a file (attachment, image, etc) somewhere into the webroot.
-Instead of sending a
-User uploads "mail_me_your_sources.php", or similar
-This upload becomes executable, user has control of server
S
"While this is stuff that matters, it certainly isn't news. Folks have been making the same sloppy mistakes and careless oversights since AOL was trading at $140/share. (And that's a long time ago.)"
/. babbles on and on about security and rarely goes into detail like this about what we can do about it. I only picked up PHP a year ago and just from reading some of the posts here, I've gone back over code I've written to make sure I didn't make those mistakes.
I'm gonna haveta defend Slashdot here. It may not be news, but
Just because it's not a new topic doesn't mean it's not new to some people. Frankly, I'd rather read old articles like this than the usual finger pointing at Microsoft.