OT, but related -- WAS: [Mailwatch-users] Active Probes heads up

Anthony Cartmell ajcartmell at fonant.com
Fri Feb 27 19:18:13 GMT 2009


> Thanks for sharing your post here. According to the link the exploit
> only works when magic_gpc_quotes is Off in php.ini.

Yeah, but I don't understand why they say that. The offending code is:

   include("docs/".$_GET[doc].".html");

So you don't need anything fancy, just something like  
?doc=../../../../etc/passwd

Ah, I see, you need a NULL so that the ".html" bit is ignored.

With magic_quotes_gpc the NULL would be escaped, so you'd only be able to  
include any *.html files. Still not good.

And magic_quotes_gpc should be off for all sorts of other security reasons  
(which is why it's deprecated, and won't be in PHP 6).

> Does anybody here have the patch code?

Insert this after the html_start("Documentation"); line:

   die('Needs fixing to avoid arbitrary file inclusion.');

HTH,

Anthony
-- 
www.fonant.com - Quality web sites


More information about the MailScanner mailing list