[WEB SECURITY] Remote File Include Exploit

Andrew van der Stock vanderaj at greebo.net
Tue Jun 27 08:27:03 EDT 2006


This is due mostly to PHP's defaults, and then partially due to  
insufficient validation by the coder of untrusted input. Most PHP  
coders are simply unaware of the abilities of two key PHP features:

a) using the many functions which support URLs
b) using PHP wrapper compatible functions.

Most functions which are compatible with these do NOT mention it. You  
have to be aware that it exists and can be used.

If allow_url_fopen was off, and PHP wrappers were disabled by  
default, the amount of PHP programs which remain vulnerable would be  
vastly smaller - basically those which did not sanitize data being  
sent to system() and eval() and any other function which has the  
ability to use remote files.

thanks,
Andrew

On 27/06/2006, at 4:44 PM, Josh L. Perrymon wrote:

> Hey Guys,
>
> I was doing some reading on your site about current application  
> vulnerability classifications..
>
> What about Remote File include exploits? I hahve been seeing a lot  
> of these exploits appear lately in .php based sites.. is this  
> something new or more of a configuration/coding error?
> I have noticed a lot of hackers using C99 and R57 php shells to  
> control the server remotely.
>
> Cheers,
> Joshua Perrymon
> CEO
> Packet Focus
> www.packetfocus.com
> josh.perrymon at packetfocus.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2234 bytes
Desc: not available
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20060627/7711721d/attachment.p7s>


More information about the websecurity mailing list