lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 28 May 2004 23:17:18 +0100
From: Ali Campbell <bugtraq@...campbell.org.uk>
To: bugtraq@...urityfocus.com
Subject: Re: [PHP] include() bypassing filter with php://input


I tested this - AFAI can tell it is exploitable against and only against 
some page along these lines, as you suggest:

<HTML><HEAD></HEAD><BODY>
<!-- header stuff goes here -->
<?php
   include ($_GET['page']);
?>
<!-- footer stuff goes here -->
</BODY></HTML>

... and if you code things in this remarkable way, you deserve to get 
'sploited silly, vuln or no vuln. Why not go the whole hog and add the line

eval ($_GET['go_ahead_and_sploit_my_trousers_off']);

while you're at it ?

Ali



clez wrote:

> Hi there!
> 
> i use php 4.3.5 and tried this "proof of concept". i assumed, that the
> form attribute "methode" is a typing mistake and adapted the exploit to
> get it working under a php 4.3.x default configuration (it's kinda
> paradox to use autoglobals in an exploit that aims to secure other
> products).
> 
> but even this adapted version (see below) does not show anything on
> execution.
> 
> this exploit seems to rely on a exploitable web service, that gets paths
> to include files from a get variable named "page".
> 
> so this seems to me like a (fixed/changed) bug at the single service
> "www.exemple.com" (not to be mixed up with www.example.com from rfc
> 2606) and not a general php issue.


Powered by blists - more mailing lists