You are not logged in. Please login or register.
Teeworlds Forum → Support → security hole on homepage
i found a security hole on this homepage. At least you can download every file from this forum. there are perhaps other files, but i did not test that.
i do not know any possibility to use that. Anyway users should not be able to do that. i will not post it here to avoid any use of that, so perhaps anyone who is responsible for the server could contact me.
Why should the users not be able to do that?
how would you view the page if it doesnt let the browser download it to display it?
you can download every php source-file. and that is not necessary to display the page. i thought that it could be used somehow.
yes punbb have some bugz..
google ur helper admin.
i don't think its a bug of punbb but a problem with the serverconfigs.
If you download the website, that is equivalent to viewing the source of a page and copying and pasting it into a text file. The only way to get a php source file is to gain ftp access. Please research before you post.
yes, it is only an illusion that i can download this stuff.
there is no server admin who interests this security hole and some people who doesn't believe me whatever i post in this thread. In other threads the developer just don't support people who want to know some details to make programs for teeworlds without modifying the source and of course don't react on some suggestions. Also those people who post so often the nice docs as an reply to everything. a nice part of the community...
so here is the possibility to download PHP-files. just click on it and you download the index.php of the forum:
http://trac.teeworlds.com/forum/index.php
If you download the website, that is equivalent to viewing the source of a page and copying and pasting it into a text file. The only way to get a php source file is to gain ftp access. Please research before you post.
I think you should do some research. It's very possible that the webserver is configured to serve phpfiles as plain text instead of running them through the PHP-interpreter. And this seems to be the case here.
A.) I do not think that possible.
B.) It is not the case, check if you don't believe me.
Its easy to make the server serve plain text instead of php. But this one does not.
Wrongly configured lighttpd. Fixed now.
A.) I do not think that possible.
B.) It is not the case, check if you don't believe me.
Think about it, how do you think a webserver works? In Apache for example you need to associate the file extension with the interpreter.
And yes, this server was serving the .php files as plain text when you requested them through the trac vhost, when i clicked the link scosu supplied i could download the index.php file.
Hm, didn't think about trac. Sorry.
Teeworlds Forum → Support → security hole on homepage
Powered by PunBB, supported by Informer Technologies, Inc.
Currently installed 3 official extensions. Copyright © 2003–2009 PunBB.