On Thu, 17 Feb 2011 21:39:49 +0100, Michele Orru said: > I mean, every Drupal user knows that the default path to register a new > user is user/register, > or that the default admin account is reachable at user/1, or that the > contact form is at the contact URI. Yes, but that's the *URL PATH*. What's the full path *on the filesystem*? Is it /opt/drupal/user/register? Or did they stick it in /usr/local/drupal? Or somewhere else? This actually matters if you're trying to do a tree traversal exploit like ../../../path/to/drupal/install/ - or if you *thought* you had configured your system so it wouldn't leak full pathnames so skiddies couldn't abuse tree traversal exploits.
Attachment:
pgpufUM87goHM.pgp
Description: PGP signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/