lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 28 May 2004 23:17:18 +0100 From: Ali Campbell <bugtraq@...campbell.org.uk> To: bugtraq@...urityfocus.com Subject: Re: [PHP] include() bypassing filter with php://input I tested this - AFAI can tell it is exploitable against and only against some page along these lines, as you suggest: <HTML><HEAD></HEAD><BODY> <!-- header stuff goes here --> <?php include ($_GET['page']); ?> <!-- footer stuff goes here --> </BODY></HTML> ... and if you code things in this remarkable way, you deserve to get 'sploited silly, vuln or no vuln. Why not go the whole hog and add the line eval ($_GET['go_ahead_and_sploit_my_trousers_off']); while you're at it ? Ali clez wrote: > Hi there! > > i use php 4.3.5 and tried this "proof of concept". i assumed, that the > form attribute "methode" is a typing mistake and adapted the exploit to > get it working under a php 4.3.x default configuration (it's kinda > paradox to use autoglobals in an exploit that aims to secure other > products). > > but even this adapted version (see below) does not show anything on > execution. > > this exploit seems to rely on a exploitable web service, that gets paths > to include files from a get variable named "page". > > so this seems to me like a (fixed/changed) bug at the single service > "www.exemple.com" (not to be mixed up with www.example.com from rfc > 2606) and not a general php issue.
Powered by blists - more mailing lists