What characteristics shall good products have? People may have their own answers; for example, when they go to a mall to buy a TV, people usually check the TV set in all aspects: They will check for advanced features, updated hardware, appealing... Read more
In the 2009 OWASP Conference, Luca, Carettoni, and others demonstrated an attack called HPP attack. Simply put, while issuing requests to the server via GET or POST, two identical parameters are used—which will the server choose? Let us look at... Read more
Apache Tomcat and jBoss both run on port 8080 by default. The role of Tomcat Manager is similar to JMX-Console, so administrators can deploy the Tomcat Manager in the war package. But fortunately, deploying war package by Tomcat Manager needs ma... Read more
jBoss is a popular web container in the J2EE environment, but the functionality of jBoss in its default installation is not very safe. If configured incorrectly, it may cause a direct remote command execution. A background management interface c... Read more
Nginx has developed rapidly in recent years, and its high performance and high concurrent processing capability allows users more choices in web server. But from a security point of view, in recent years, Nginx has had more high-risk vulnerabili... Read more
Although the market share of Nginx and LightHttpd in web server has been increasing in recent years, Apache is still on top in this field, and the majority of web applications on the Internet are still running on the Apache Httpd. Our concern ab... Read more
How do we ensure the security of PHP? In addition to understanding PHP vulnerabilities, you can also configure php.ini to reinforce the PHP runtime environment. Official PHP has also repeatedly modified the settings of php.ini by default. regist... Read more
With the help of the real-world cases discussed so far, we now have a basic understanding about the vulnerabilities in PHP code execution. If we categorize common code execution vulnerabilities, we can get some rules. Familiarizing with these si... Read more
Let us take a look at file writing code execution. In PHP, we must be careful in defining the operation of a file. If the user can control the contents of the file, it can easily become a vulnerability. The “Discuz! ‘Admin\database.inc.php get-w... Read more
This is an indirect control of the eval() function input. This vulnerability was discovered by security researcher flyh4t: MyBB 1.4 admin remote code execution vulnerability. First, the eval() function exists in the MyBB code. //index.php,336行左右... Read more
Recent Comments