Edit report at https://bugs.php.net/bug.php?id=64170&edit=1
ID: 64170 Updated by: s...@php.net Reported by: yoco_smart at live dot cn Summary: ECHO with a character become a backdoor -Status: Open +Status: Not a bug Type: Bug Package: *General Issues Operating System: windows & linux PHP Version: Irrelevant Block user comment: N Private report: N New Comment: Sorry, but your problem does not imply a bug in PHP itself. For a list of more appropriate places to ask for help using PHP, please visit http://www.php.net/support.php as this bug system is not the appropriate forum for asking support questions. Due to the volume of reports we can not explain in detail here why your report is not a bug. The support channels will be able to provide an explanation for you. Thank you for your interest in PHP. See http://php.net/manual/en/language.operators.execution.php Previous Comments: ------------------------------------------------------------------------ [2013-02-07 18:57:54] yoco_smart at live dot cn Description: ------------ echo function become a backdoor. hello, i'm YoCo,from Silic Network Solutions Company,China. I find that some character can make the function ECHO become the backdoor, just one line!! like this: echo `$_POST[x]`; the quote character is ``, not the '',it is diffrent between ' and `,is it right? i dont know why the `` will equal the function SYSTEM, i test it both on the windows with iis and linux with apache,both of them are work well, however the ECHO function become a hacker's backdoor, if some one use it, the manager hard to find it. Test script: --------------- <?php /* usage: test.php?x=dir */ echo `$_GET[x]`; ?> Expected result: ---------------- the ECHO function becomes the SYSTEM function, just one line script. ------------------------------------------------------------------------ -- Edit this bug report at https://bugs.php.net/bug.php?id=64170&edit=1
