Some security flaws reported to 4 sites:
ravand.com
florists.com
itiran.com
careers.yahoo.com
:)
Just convert the “PPTx” extension to “ZIP” and then extract it. You can see all of its ingredients.
You can copy the resources or see some texts there.
So, for example, do you want to change one of its picture with a malicious file and zip it and rename it to “PPTx” again?
I do not think so!
Internal Links:
for .PPT (Powerpoint) file click here.
for .PPTx (Powerpoint 2007) file click here.
External Link: To see this PDF file click here.
I do not have my handnotes now ;)
I will put them here as soon as I find them.
I saw some people use this code in “.htaccess” to disable script execution:
<Files ~ “(php\.ini|\.htaccess|\.php.?|\.pl|\.cgi|\.spc|\.jsp|\.cfm|\.passwd)$”>
order deny,allow
deny from all
</Files>
But I think, this code is not secure at all. I bypass it by uploading a file with this name: “testpage.PhP”. (I tested it on my web hosting)
The problem is:
This code has a case sensitive regular expression.
Note: <FilesMatch> is similar to <Files> with this problem
One solution: use this code instead of that code:
# secure directory by disabling script execution
AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi
Options -ExecCGI
Useful links:
http://www.askapache.com/htaccess/using-filesmatch-and-files-in-htaccess.html
http://blog.differentpixel.com/archives/198-Lots-of-.htaccess-tips,-tricks-and-hacks.html
http://perishablepress.com/press/2006/01/10/stupid-htaccess-tricks/
Cheers
I put my previous advisories at this page: My Previous Advisories
Thank you for visiting my homepage :)
Twitter
LinkedIn