Bugtraq mailing list archives
Re: A Study In Scarlet - Exploiting Common Vulnerabilities in PHP Applications
From: Julian Hall <jules () acris co uk>
Date: Fri, 27 Jul 2001 18:05:25 +0100
Sorry for the delay in responding here, but I've not had a chance to catch up with the list for a while, but: Shaun Clowes wrote:
As an alternate attack assisted by file upload consider the following example PHP code: <?php if (file_exists($theme)) // Checks the file exists on the local system (no remote files) include("$theme"); ?>
Is anyone really that naive? I, and I'm sure most other PHP uses, would automatically write: <?php $themefile = "themes/$theme.inc"; include ($themefile); ?> If I was even remotely thinking about security I would check for the presence of directory seperator characters in $theme (as it stands obviously the code would allow the inclusion of any file with the '.inc' suffix). You never include code from a filename specified directly by the user. That's a primary rule, and applies to server applications written in any language, not just PHP and other similar systems.
Current thread:
- A Study In Scarlet - Exploiting Common Vulnerabilities in PHP Applications Shaun Clowes (Jul 02)
- Re: A Study In Scarlet - Exploiting Common Vulnerabilities in PHP Applications Chris Adams (Jul 03)
- Re: A Study In Scarlet - Exploiting Common Vulnerabilities in PHP Applications Julian Hall (Jul 27)
- <Possible follow-ups>
- Re: A Study In Scarlet - Exploiting Common Vulnerabilities in PHP Applications Stephen Cope (Jul 04)