[WEB SECURITY] AT&T exposes /etc/passwd , bad php

Arian J. Evans arian.evans at anachronic.com
Mon Jul 27 19:27:54 EDT 2009


On Mon, Jul 27, 2009 at 1:11 PM, Michael Condon
<admin at singulartechnologysolutions.com> wrote:
>
> Can anyone convince me (or anyone else) why I should ever use a QUERY_STRING
> in a URL?

Because that is where those Query_Strings live by definition.

http://www.ietf.org/rfc/rfc1738

It would not make any difference if this function were wired up to a
POST [or any other] request, aside from possibly taking slightly more
overhead to automate discovery and exploitation *if* it required some
form of input to execute the query. Otherwise function == same.

--
Arian Evans


>
> -----Original Message-----
> From: Shane Forsythe [mailto:shane.forsythe at fau.edu]
> Sent: Monday, July 27, 2009 1:09 PM
> To: websecurity at webappsec.org
> Subject: [WEB SECURITY] AT&T exposes /etc/passwd , bad php
>
> In an amazing example of how not to do file operations with php.  AT&T
> has the following URL
>
> http://www.research.att.com/areas/visualization/papers_videos/subpage.php?pa
> ge=
>
> You can add ANY file to the end and will happily retrieve for you,
> though I'd suggest not actually testing it out
> (some examples that were vurnable)
> ../../../../proc/cpuinfo
> /etc/passwd
>
> It appears they have taken page offload and our now aware of it, but if
> you follow the comments here, it was active for a good portion and
> thoroughly combed over
> http://www.reddit.com/r/programming/comments/94z5w/att_exposes_etcpasswd_bad
> _php/
>
>
> This seems to be an escalating of AT&T event regarding 4chan
>
>
>
>
>
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list