2011/12/13 Jean-François Bilodeau <jfbilodeau [ at ] chronogears [ dot ] com> > It should, but if the probe was successful with > /?file=../../../../../../proc/self/environ%00, that tells me that the index > may be a script (ie: index.php instead of index.html). > > Another possibility is that the query string was indeed ignored, and there > is no security hole. > > Jeff: have you tried to /?file=../../../../../../proc/self/environ%00 url? > Did that return anything unwanted? > > http://www.jukie.net/~bart/html_test/?foo=foo html_test/index.html is just a static html. It returns 200. the foo=foo seems to be ignored. -Bart