OT, but related -- WAS: [Mailwatch-users] Active Probes heads up

Anthony Cartmell ajcartmell at fonant.com
Fri Feb 27 19:18:13 GMT 2009

> Thanks for sharing your post here. According to the link the exploit
> only works when magic_gpc_quotes is Off in php.ini.

Yeah, but I don't understand why they say that. The offending code is:


So you don't need anything fancy, just something like  

Ah, I see, you need a NULL so that the ".html" bit is ignored.

With magic_quotes_gpc the NULL would be escaped, so you'd only be able to  
include any *.html files. Still not good.

And magic_quotes_gpc should be off for all sorts of other security reasons  
(which is why it's deprecated, and won't be in PHP 6).

> Does anybody here have the patch code?

Insert this after the html_start("Documentation"); line:

   die('Needs fixing to avoid arbitrary file inclusion.');


www.fonant.com - Quality web sites

More information about the MailScanner mailing list