[VIM] true: 1024 CMS LFI: fun protection scheme failure
Steven M. Christey
coley at mitre.org
Fri May 4 00:26:47 UTC 2007
Ref: MILW0RM:3832
Researcher: Dj7xpl
This manipulation caught the eye of one of our analysts:
http://Target.com/1024/includes/download.php?item=../uploads/../../../../../etc/passwd
Is "../uploads/" really needed?
Turns out that it *is* needed (or anything of length 11):
//Prevent hacker attacks
$path = "../uploads/";
$filename = substr($_GET['item'], 11);
$filename = $path.$filename;
Hmmm, "../uploads/" is length 11!
Later:
readfile("$filename");
It's not clear to me what attack the programmer was trying to prevent
here, but it's interesting. To me anyway ;-)
- Steve
More information about the VIM
mailing list