Bugtraq mailing list archives
Re: [PHP] include() bypassing filter with php://input
From: Ali Campbell <bugtraq () alicampbell org uk>
Date: Fri, 28 May 2004 23:17:18 +0100
I tested this - AFAI can tell it is exploitable against and only against some page along these lines, as you suggest:
<HTML><HEAD></HEAD><BODY> <!-- header stuff goes here --> <?php include ($_GET['page']); ?> <!-- footer stuff goes here --> </BODY></HTML>... and if you code things in this remarkable way, you deserve to get 'sploited silly, vuln or no vuln. Why not go the whole hog and add the line
eval ($_GET['go_ahead_and_sploit_my_trousers_off']); while you're at it ? Ali clez wrote:
Hi there! i use php 4.3.5 and tried this "proof of concept". i assumed, that the form attribute "methode" is a typing mistake and adapted the exploit to get it working under a php 4.3.x default configuration (it's kinda paradox to use autoglobals in an exploit that aims to secure other products). but even this adapted version (see below) does not show anything on execution. this exploit seems to rely on a exploitable web service, that gets paths to include files from a get variable named "page". so this seems to me like a (fixed/changed) bug at the single service "www.exemple.com" (not to be mixed up with www.example.com from rfc 2606) and not a general php issue.
Current thread:
- [PHP] include() bypassing filter with php://input Himeur Nourredine (May 27)
- Re: [PHP] include() bypassing filter with php://input Keary Suska (May 28)
- Re: [PHP] include() bypassing filter with php://input clez (May 28)
- Re: [PHP] include() bypassing filter with php://input Ali Campbell (May 31)
- Re: [PHP] include() bypassing filter with php://input bugtraq subscriber (May 31)
- Re: [PHP] include() bypassing filter with php://input clez (May 28)
- Re: [PHP] include() bypassing filter with php://input Keary Suska (May 28)