HomepageVulnerable Code| Author | Post | |||
theblacksheep       |
This guestbooks saves a file for every user in the "user/" folder with all the information about him. Example: --------------------------------------------------- <? $Rnick = "test"; $Ricq = ""; $Remail = "none@none.none"; $Rpasswort = "098f6bcd4621d373cade4e832627b4f6"; $Rhomepage = "http://whatever.com"; $Raim = ""; # -------------------------------------------------- The name is the nick + ".usr". I was hoping that even more stuff is possible but I wasn't able to pull anything bigger so far  |
|||
 27.05.2006 10:02:57 |
|
|||
Gome           |
Funny.. forgot to close the <? ?> and add .usr as php-file.. nice. |
|||
 27.05.2006 10:11:46 |
|
|||
| unknown user |
i can't find anywhere where i can check you findings but, based on what you are saying i would: use a nickname that ends on .php like test.php chances are that the webserver wiill interpret test.php.usr as a php file. then embed some code in for example the email addy. |
|||
| 27.05.2006 10:58:45 |
|
|||
|
theblacksheep |
I haven't checked if it is possible to use the "." in the username but why do you expect the webserver to treat a ".php.usr" as a ".php" file? It is also not necessary because every ".usr" gets included at one point but you can't inject your own php code. The reason is that everything you enter is dealt with as a string (it is embedded in quotations). There is also no way to get out of them because if you enter a quotation it is getting escaped. --------------------------------------------------- <? $Rnick = "<php echo \"Hello World!\";?>"; ... # -------------------------------------------------- |
|||
Edited by theblacksheep on 27.05.2006 14:51:52 | ||||
|
27.05.2006 14:50:50 |
|
|||
| unknown user |
basicly because that's what webservers do. I first noticed this behavior, when trying to download .php.back files. i believe it to be a protection against backup files. since lot's of editors make backupfiles like this, it would be sensible to prevent the webserver from displaying these files plain text. And that's what happens. |
|||
| 27.05.2006 19:57:06 |
|
|||
logos    |
rhican, you're right, I've read about this awhile ago.. Here's some proof I found on google:  http://lists.grok.org.uk/pipermail/full-disclosure/2005-December/039541.htmlIt is said that if the server doesn't recognize the extension after .php (.php.*), then it will interpret the file as a php-file and run it. You can find more with the right search string.. |
|||
Edited by logos on 28.05.2006 04:01:50 | ||||
 28.05.2006 03:58:08 |
|
|||
|
theblacksheep |
Ohh, I haven't heard of that issue before. Thank you for pointing it out. This one can get you into real trouble. tbs |
|||
|
28.05.2006 07:38:04 |
|
|||
| unknown user |
indeed it can. That's how my uni's wiki system was exploitable saved the text plain in a subject.wiki file and filtered the contents when displaying .. however .. |
|||
| 28.05.2006 12:07:56 |
|
|||
private message
EMail
Website