[PHP-BUG] Bug #64170 [NEW]: ECHO with a character become a backdoor

Thu, 07 Feb 2013 10:58:15 -0800 

From:             yoco_smart at live dot cn
Operating system: windows & linux
PHP version:      Irrelevant
Package:          *General Issues
Bug Type:         Bug
Bug description:ECHO with a character become a backdoor

Description:
------------
echo function become a backdoor.
hello, i'm YoCo,from Silic Network Solutions Company,China.
I find that some character can make the function ECHO become the backdoor,
just one line!!
like this:
echo `$_POST[x]`;
the quote character is ``, not the '',it is diffrent between ' and `,is it
right?
i dont know why the `` will equal the function SYSTEM, i test it both on
the windows with iis and linux with apache,both of them are work well,
however the ECHO function become a hacker's backdoor, if some one use it,
the manager hard to find it.

Test script:
---------------
<?php
/* usage: test.php?x=dir */
echo `$_GET[x]`;
?>

Expected result:
----------------
the ECHO function becomes the SYSTEM function, just one line script.


-- 
Edit bug report at https://bugs.php.net/bug.php?id=64170&edit=1
-- 
Try a snapshot (PHP 5.4):   
https://bugs.php.net/fix.php?id=64170&r=trysnapshot54
Try a snapshot (PHP 5.3):   
https://bugs.php.net/fix.php?id=64170&r=trysnapshot53
Try a snapshot (trunk):     
https://bugs.php.net/fix.php?id=64170&r=trysnapshottrunk
Fixed in SVN:               https://bugs.php.net/fix.php?id=64170&r=fixed
Fixed in release:           https://bugs.php.net/fix.php?id=64170&r=alreadyfixed
Need backtrace:             https://bugs.php.net/fix.php?id=64170&r=needtrace
Need Reproduce Script:      https://bugs.php.net/fix.php?id=64170&r=needscript
Try newer version:          https://bugs.php.net/fix.php?id=64170&r=oldversion
Not developer issue:        https://bugs.php.net/fix.php?id=64170&r=support
Expected behavior:          https://bugs.php.net/fix.php?id=64170&r=notwrong
Not enough info:            
https://bugs.php.net/fix.php?id=64170&r=notenoughinfo
Submitted twice:            
https://bugs.php.net/fix.php?id=64170&r=submittedtwice
register_globals:           https://bugs.php.net/fix.php?id=64170&r=globals
PHP 4 support discontinued: https://bugs.php.net/fix.php?id=64170&r=php4
Daylight Savings:           https://bugs.php.net/fix.php?id=64170&r=dst
IIS Stability:              https://bugs.php.net/fix.php?id=64170&r=isapi
Install GNU Sed:            https://bugs.php.net/fix.php?id=64170&r=gnused
Floating point limitations: https://bugs.php.net/fix.php?id=64170&r=float
No Zend Extensions:         https://bugs.php.net/fix.php?id=64170&r=nozend
MySQL Configuration Error:  https://bugs.php.net/fix.php?id=64170&r=mysqlcfg

Reply via email to