Re: [RFC][DISCUSSION] Script only includes
Yasuo Ohgaki wrote:
> We have been tried to educate users already and introduced some
> mitigations e.g. allow_url_include, open_basedir.
>
> However, enough time is passed to prove that wasn't enough, isn't it?
>
> PHP (many and these are _only_ few of them in the wild)
> http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=PHP&filter_author=&filter_platform=0&filter_type=0&filter_lang_id=0&filter_exploit_text=inclusion&filter_port=0&filter_osvdb=&filter_cve=
I've arbitrarily checked the top most entry (u5CMS), and the LFI was
caused by echo file_get_contents($_GET['...']) basically. There was
neither include|require(_once) involved, nor move_uploaded_file(). From
my, admittedly very limited, experience, this is a rather common source
of LFI vulnerabilities in PHP applications. I'm afraid that educating
developers is the only way to avoid this kind of vulnerability.
--
Christoph M. Becker
Thread (23 messages)