Vulnerability Development mailing list archives
php file injection
From: r0man () phreaker net
Date: Fri, 31 May 2002 09:59:24 +0200
Hi, Fast silly question: let's suppose a .php where you have: - a variable $template, which could be set up by an attacker -the script creates a new variable adding a file-extension: $file = $ template + ".txt" - finally it does a open($file). Well, it is quite evident that an attacker could easily read any .txt file on the system. But, would it be possible for an attacker to read *any* file (with *any* extension)? (for instance, /etc/passwd). In perl there are some tricks like %00 that could help us to get rid of the file extension, but I don't know of any similar trick in .php. Regards, --Roman
Current thread:
- php file injection r0man (May 31)