[WEB SECURITY] AT&T exposes /etc/passwd , bad php

Michael Condon admin at singulartechnologysolutions.com
Mon Jul 27 16:11:48 EDT 2009


Can anyone convince me (or anyone else) why I should ever use a QUERY_STRING
in a URL?

-----Original Message-----
From: Shane Forsythe [mailto:shane.forsythe at fau.edu] 
Sent: Monday, July 27, 2009 1:09 PM
To: websecurity at webappsec.org
Subject: [WEB SECURITY] AT&T exposes /etc/passwd , bad php

In an amazing example of how not to do file operations with php.  AT&T 
has the following URL

http://www.research.att.com/areas/visualization/papers_videos/subpage.php?pa
ge=

You can add ANY file to the end and will happily retrieve for you, 
though I'd suggest not actually testing it out
(some examples that were vurnable)
../../../../proc/cpuinfo
/etc/passwd  

It appears they have taken page offload and our now aware of it, but if 
you follow the comments here, it was active for a good portion and 
thoroughly combed over
http://www.reddit.com/r/programming/comments/94z5w/att_exposes_etcpasswd_bad
_php/


This seems to be an escalating of AT&T event regarding 4chan






----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list