Re: A Study In Scarlet - Exploiting Common Vulnerabilities in PHP Applications
From: Julian Hall (jules@acris.co.uk)Date: 07/27/01
- Previous message: rudi carell: "Entrust - getAccess"
- Next in thread: salo: "Re: A Study In Scarlet - Exploiting Common Vulnerabilities in PHP Applications"
- Reply: salo: "Re: A Study In Scarlet - Exploiting Common Vulnerabilities in PHP Applications"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <3B619F54.4DAACC0E@acris.co.uk> Date: Fri, 27 Jul 2001 18:05:25 +0100 From: Julian Hall <jules@acris.co.uk> To: Shaun Clowes <shaun@securereality.com.au> Subject: Re: A Study In Scarlet - Exploiting Common Vulnerabilities in PHP Applications
Sorry for the delay in responding here, but I've not had a chance to catch up
with the list for a while, but:
Shaun Clowes wrote:
> As an alternate attack assisted by file upload consider the following
> example PHP code:
>
> <?php
> if (file_exists($theme)) // Checks the file exists on the local system (no
> remote files)
> include("$theme");
> ?>
Is anyone really that naive? I, and I'm sure most other PHP uses, would
automatically write:
<?php
$themefile = "themes/$theme.inc";
include ($themefile);
?>
If I was even remotely thinking about security I would check for the presence
of directory seperator characters in $theme (as it stands obviously the code
would allow the inclusion of any file with the '.inc' suffix). You never
include code from a filename specified directly by the user. That's a primary
rule, and applies to server applications written in any language, not just PHP
and other similar systems.
- Previous message: rudi carell: "Entrust - getAccess"
- Next in thread: salo: "Re: A Study In Scarlet - Exploiting Common Vulnerabilities in PHP Applications"
- Reply: salo: "Re: A Study In Scarlet - Exploiting Common Vulnerabilities in PHP Applications"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
