Full Disclosure mailing list archives

Re: flaw in php_exec_dir patch

From: npguy <npguy () websurfer com np>
Date: Thu, 24 Jun 2004 20:32:24 +0545

is your safe mode on? .. whats ur platorm. 
give more details! 

On Wednesday 23 June 2004 07:05 am, VeNoMouS wrote:

Found a issue last night while testing php_exec_dir patch

if you do the following

$blah=`ps aux`;
echo nl2br($blah);

php_exec_dir will block the call if you have set the exec_dir parm in php
or apache

anyway.... if you do this

$blah=`;ps aux`;
echo nl2br($blah);

it bypasses the exec block and excutes the ps due to the ';', as bash
interrupts ';' as a new cmd, ive emailed the author but no response.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

flaw in php_exec_dir patch VeNoMouS (Jun 22)
- Re: flaw in php_exec_dir patch npguy (Jun 24)
  - Re: flaw in php_exec_dir patch Tim (Jun 25)
    - Re: flaw in php_exec_dir patch VeNoMouS (Jun 26)
  - Re: flaw in php_exec_dir patch VeNoMouS (Jun 25)
    - Re: flaw in php_exec_dir patch npguy (Jun 26)
    - ZH2004-13SA (security advisory): Sql Injection in Help Desp Pro 2.0 D'Amato Luigi (Jun 26)