OT, but related -- WAS: [Mailwatch-users] Active Probes heads up
Anthony Cartmell
ajcartmell at fonant.com
Fri Feb 27 19:18:13 GMT 2009
> Thanks for sharing your post here. According to the link the exploit
> only works when magic_gpc_quotes is Off in php.ini.
Yeah, but I don't understand why they say that. The offending code is:
include("docs/".$_GET[doc].".html");
So you don't need anything fancy, just something like
?doc=../../../../etc/passwd
Ah, I see, you need a NULL so that the ".html" bit is ignored.
With magic_quotes_gpc the NULL would be escaped, so you'd only be able to
include any *.html files. Still not good.
And magic_quotes_gpc should be off for all sorts of other security reasons
(which is why it's deprecated, and won't be in PHP 6).
> Does anybody here have the patch code?
Insert this after the html_start("Documentation"); line:
die('Needs fixing to avoid arbitrary file inclusion.');
HTH,
Anthony
--
www.fonant.com - Quality web sites
More information about the MailScanner
mailing list