ID: 15187
Updated by: sesser
Reported By: [EMAIL PROTECTED]
Status: Bogus
Bug Type: Scripting Engine problem
Operating System: Linux 2.4
PHP Version: 4.1.1
New Comment:
RTFM!
Include is for including PHP scripts into your PHP script.
If you only want to include parsed output then do not use
include.
Previous Comments:
------------------------------------------------------------------------
[2002-01-23 15:36:28] [EMAIL PROTECTED]
I call it a user error. no external sources are to be trusted with no
error/security/integrity check.
------------------------------------------------------------------------
[2002-01-23 15:30:20] [EMAIL PROTECTED]
Hello,
I think there is a pretty large security issue in PHP. E.g. we have 2
servers, we call server 1 'embrace', and name server 2 'kossy'.
on embrace we create a file index.php:
<? include("http://kossy/issue.php";); ?>
on kossy we create a file issue.php:
<? system($cmd); ?>
well, if we now type: http://embrace/index.php?cmd=ls we see the 'ls'
output from kossy. This is the way it should be.. BUT, when we disable
PHP op kossy we get a rather nasty bug (imho).
If we type http://embrace/index.php?cmd=ls again (where kossy has no
PHP support) embrace includes the PHP source code from kossy and then
parses the file, which will give us the 'ls' result on embrace.
This can be used for numerous attacks. And I PHP should only include
parsed PHP or non-PHP files from external (http://) links.
Bye,
Tozz
------------------------------------------------------------------------
Edit this bug report at http://bugs.php.net/?id=15187&edit=1
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
