ID: 15187
Updated by: jan
Reported By: [EMAIL PROTECTED]
Old Status: Open
Status: Bogus
Bug Type: Scripting Engine problem
Operating System: Linux 2.4
PHP Version: 4.1.1
New Comment:
I call it a user error. no external sources are to be trusted with no
error/security/integrity check.
Previous Comments:
------------------------------------------------------------------------
[2002-01-23 15:30:20] [EMAIL PROTECTED]
Hello,
I think there is a pretty large security issue in PHP. E.g. we have 2
servers, we call server 1 'embrace', and name server 2 'kossy'.
on embrace we create a file index.php:
<? include("http://kossy/issue.php";); ?>
on kossy we create a file issue.php:
<? system($cmd); ?>
well, if we now type: http://embrace/index.php?cmd=ls we see the 'ls'
output from kossy. This is the way it should be.. BUT, when we disable
PHP op kossy we get a rather nasty bug (imho).
If we type http://embrace/index.php?cmd=ls again (where kossy has no
PHP support) embrace includes the PHP source code from kossy and then
parses the file, which will give us the 'ls' result on embrace.
This can be used for numerous attacks. And I PHP should only include
parsed PHP or non-PHP files from external (http://) links.
Bye,
Tozz
------------------------------------------------------------------------
Edit this bug report at http://bugs.php.net/?id=15187&edit=1
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
