[phplib-dev] security: READ THIS! From: giancarlo pinerolo (giancarlo <email protected>)
Date: 07/14/01

Gosh
with regards to this paper, named PHP Security Paper (a study in
scarlet)...

http://www.securereality.com.au/studyinscarlet.txt

I always thought _PHPLIB was a defined constant, now I realize it is an
array
try this script please, which can override the $_PHPLIB[libdir] value.

in the third input field, which overrides _PHPLIB[libdir], type '/tmp/',
and it will include a file named 'test' there

Giancarlo

............
<?
if (!$HTTP_POST_VARS[step2])
  {
  ?>
  <form action="<?echo $PHP_SELF?>" method=post>
  $HTTP_GET_VARS[mytest] var:<br>
  <input name="HTTP_GET_VARS[mytest]" value="1" >
  <br>
  the variable $mytest2 var:<br>
  <input type=text name="mytest2" value="2" >
  <br>$_PHPLIB[libdir] var <br>
  (trailing slash required, will include a file namet 'test' there)<br>
  <input name="_PHPLIB[libdir]" value="1" >
  <input type=submit name=step2>
  </form>
  <?
  }
else
  {
  echo "the HTTP_GET_VARS[mytest] --> ".$HTTP_GET_VARS["mytest"]."<br>";
  echo "the variable mytest2 --> ".$HTTP_POST_VARS["mytest2"]."<br>";
  echo "_PHPLIB[libdir] --> ".$HTTP_POST_VARS["_PHPLIB"][libdir]."<br>";
  echo "including the file 'test' in the submitted _PHPLIB[libdir]
directory<br>";
  include ($_PHPLIB[libdir]."test");
  }
?>

.......

file 'test' placed in /tmp/

<?
echo "<h1>CIAO</h1>";
?> 

-- 
Abbestellen mit Mail an:   phplib-dev-unsubscribe <email protected>
Kommandoliste mit Mail an: phplib-dev-help <email protected>