Michal Majchrowicz wrote: > Due to "security reasons" many Web Browsers doesn't allow cross > domain XMLHttpRequests. [..] hi Michal, personally i don't get your point (to me it seems just an hybrid implementation using both server side and client side scripting) but i'm sure you can better explain your intents from what i saw it asks a php page to make an http query to the foreign domain and then display back the page contents using js so i suppose this is not a vulnerability at all, just an implementation to (??) pass to javascript remote contents fetched using a machine != from the client/browser/whenether anyway your implementation is a bit flawed http://sectroyer.110mb.com/myhttp.php?url=file://myhttp.php&method=get --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- <?php if(isset($_GET['url'])==true) { $curl=curl_init(); curl_setopt($curl,CURLOPT_COOKIE,$_GET['cookie']); curl_setopt($curl,CURLOPT_URL,rawurldecode($_GET['url'])); curl_setopt($curl,CURLOPT_RETURNTRANSFER,1); if(($_GET['method']=="post") && (isset($_GET['vars'])==true)) { $vars=rawurldecode($_GET['vars']); curl_setopt($curl,CURLOPT_POSTFIELDS,$vars); } $tmp=curl_exec($curl); curl_close($curl); echo "myglobalcallback(\"".rawurlencode($tmp)."\");"; } ?> --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- this is basically a proxy, it can make get/post requests to http only hosts, saturate the server bandwidth *PLUS* naturally fetch any local file : ) http://sectroyer.110mb.com/myhttp.php?url=file:///etc/passwd&method=get please correct me if i misunderstood best regards, Francesco `ascii` Ongaro http://www.ush.it/
