|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Phpjobscheduler 3.0 - Multiple Remote File Include
From: str0ke (str0ke
milw0rm.com)
Date: Sat Nov 18 2006 - 15:48:12 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On 11/18/06, Stefano Zanero <s.zanerosecurenetwork.it> wrote:
> Firewall1954hotmail.com wrote:
>
> > # Phpjobscheduler 3.0 - Multiple Remote File Include by Firewall
>
> Bogus
>
> > # Code:
> > include_once($installed_config_file)
>
> include_once("functions.php"); some lines above includes a file which
> statically sets that variable, so
>
> > # ExPloit :
>
> None of these work.
>
> Please stop reporting bogus vulnerabilities ! Thanks !
>
> Stefano
>
$installed_config_file = "config.inc.php";
if ($_REQUEST) foreach ($_REQUEST AS $key => $value) $$key = $value;
The line below the variable being defined is what makes this vulnerable.
Be safe,
/str0ke
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]