What I mean, is that only the "readme.txt" part of path is visible for the user, and the directory traversal string can be easily hidden in this way.
The forty space characters aren't displayed correctly due to the fact that they are shortened to one space by the browser.
readme.txt /../../../../../../../../asdf.exe
This filename originally looks like:
readme.txt <40 spaces here> /../../../../../../../../asdf.exe
What I mean, is that only the "readme.txt" part of path is visible for the user, and the directory traversal string can be easily hidden in this way.
The forty space characters aren't displayed correctly due to the fact that they are shortened to one space by the browser.
j00ru
[ reply ]