CS338 Computer Security
Friday, 31 October 2024

+ Look at webshell
- PHP structure
- PHP context
- "running as X"
- users with home directories
    vs. users without

+ Upload vulnerability
- How would you describe the vulnerability?
- What's the programmer error?
- How to fix?
    - don't tell the user where the images are stored
    - check the content of the proposed uploaded file
    - DOES PHP HAVE A FUNCTION that tells you whether a file is
        an image file?
- Let's look at the code
- Did you use any interesting tricks?
- Carleton's firewall...

+ Passwords
- How do you think they're stored?
-