#59 PHP Code Injection Vulnerability

V 5.3
closed-fixed
None
9
2015-08-03
2012-12-04
Anonymous
No

I was looking at this <http://osvdb.org/87546> report and I discovered
that the same parameter is vulnerable to a PHP Code Injection as well.
The vulnerable code is the following:

86 if(clean_param($_REQUEST['modname'],PARAM_NOTAGS))
87 {
88 if($_REQUEST['_openSIS_PDF']=='true')
89 ob_start();
90 if(strpos($_REQUEST['modname'],'?')!==false)
91 {
92 $vars = substr($_REQUEST['modname'],(strpos($_REQUEST['modname'],'?')+1));
93 $modname = substr($_REQUEST['modname'],0,strpos($_REQUEST['modname'],'?'));
94
95 $vars = explode('?',$vars);
96 foreach($vars as $code)
97 {
98 $code = decode_unicode_url("\$_REQUEST['".str_replace('=',"']='",$code)."';");
99 eval($code);
100 }
101 }

User input supplied through the 'modname' request variable may
be used to inject and execute arbitrary PHP code in the eval() call
at line 99. Furthermore the 'decode_unicode_url' function can be
leveraged to bypass magic_quotes_gpc restrictions.

Kind regards,
Egidio Romano

Discussion

  • Comment has been marked as spam. 
    Undo

    You can see all pending comments posted by this user  here

    Anonymous - 2012-12-04
    • priority: 5 --> 9
    • assigned_to: nobody --> kajalshaikh
     
  • admin@OS4ED

    admin@OS4ED - 2015-08-03
    • status: open --> closed-fixed
    • Group: --> V 5.3
     

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks