Action address in HTML forms
Dominic Thoreau
dominic.thoreau at googlemail.com
Wed Mar 4 10:59:12 GMT 2009
2009/3/3 David Cantrell <david at cantrell.org.uk>:
> On Tue, Mar 03, 2009 at 05:48:40PM +0000, the hatter wrote:
>
>> I'd expect most frameworks to remove the URI distintion between html pages
>> and where scripts can execute
>
> I've always wondered what the point was of having a seperate /cgi-bin or
> equivalent. I stopped doing that as soon as I switched to a web server
> that didn't enforce it.
Not that this is a justification for the sort of security lapse that
lets you get into this sort of situation,
but:
If your website has any sort of functionality that involves uploading
of files, this could be seen as a point-of-last-resort safeguard
against code injection attacks.
Of course, you shouldn't be storing uploaded files anywhere in
world-accessible space (at least, not directly, without human and/or
comprehensive taint checking), but just best-practice doesn't always
happen in the wild.
--
No train here, but still:
The sign says: "Ready to Leave"
Normal service, yes?
More information about the london.pm
mailing list