Sure. I can send this string as your victim
POST argument:
/var/www/your_website/index.php\0
And you'll modify index.php
. The \0
makes PHP ignore the .txt
extension. In user
, I could send some PHP code and append it into your index page, which is pretty bad.