From: [EMAIL PROTECTED]
Operating system: *unix
PHP version: 4.1.2
PHP Bug Type: *Web Server problem
Bug description: Vulnerability on function ` `
Hi! My name is Leandro, and I've been doing some PHP tests
as I could.
The problem is: When I execute the command ``, I'm able to
do any shell command that the HTTP user has right. Ok!
Everybody know.
But I could copy the /etc/passwd and I did other things like:
cp, mv, rm, mkdir, cat, netstat, ps...
Well, as you can see, I'm able to know as much things as
I want, like: which plataform, software, local network,
aliases, sendmail conf, apache conf, bind, copy the *.PHP,
*.JSP, *.ASP ... files and the server won't interprete it "I can copy
their code", run software puted in the
server by me, ...
eg. echo (`cat /etc/passwd`);
echo (`ps ax`);
echo (`netstat -an`);
`cp /etc/named.conf /my/web/dir/named.conf´;
`cp /your/web/dir/addcart.php /my/web/dir`;
echo (`cat /your/web/dir/login.php /my/web/dir`);
Well, how seen before, I'm able to know what I want about
the server I am in.
I think it's a terrible problem. I'm horried abault it.
Best regards.
Leandro Sousa de Carvalho
web developer - RJ - Brazil
--
Edit bug report at http://bugs.php.net/?id=16108&edit=1
--
Fixed in CVS: http://bugs.php.net/fix.php?id=16108&r=fixedcvs
Fixed in release: http://bugs.php.net/fix.php?id=16108&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=16108&r=needtrace
Try newer version: http://bugs.php.net/fix.php?id=16108&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=16108&r=support
Expected behavior: http://bugs.php.net/fix.php?id=16108&r=notwrong
Not enough info: http://bugs.php.net/fix.php?id=16108&r=notenoughinfo
Submitted twice: http://bugs.php.net/fix.php?id=16108&r=submittedtwice
