On Tue, Dec 13, 2011 at 12:37:11PM -0500, Bart Trojanowski wrote: > 2011/12/13 Jean-Fran?ois Bilodeau <jfbilodeau [ at ] chronogears [ dot ] com> > > > It should, but if the probe was successful with > > /?file=../../../../../../proc/self/environ%00, that tells me that the index > > may be a script (ie: index.php instead of index.html). > > > > Another possibility is that the query string was indeed ignored, and there > > is no security hole. > > > > Jeff: have you tried to /?file=../../../../../../proc/self/environ%00 url? > > Did that return anything unwanted? > > > > > > http://www.jukie.net/~bart/html_test/?foo=foo > > html_test/index.html is just a static html. It returns 200. the foo=foo > seems to be ignored. I tried it on my dynamic page (served by byteflow), and just got the front page (as I would expect for a http://server/ url). I know my software will not look at the GET query part (the part after ?) for the front page. I think it comes down to knowing what your server is going to do with the GET query. If you actually have php, you may be able to configure it to only serve pages that are part of your site, and to ignore (or slap back in response to) requests for pages elsewhere on your machine. bjb