php code injection attack
Submitted by rollins on Tue, 2009-07-07 02:28.
| Project: | phpAlbum.net |
| Version: | 0.4.1-14_fix05 |
| Component: | Code |
| Category: | bug |
| Priority: | critical |
| Assigned: | patrik |
| Status: | in work |
Description
You can execute arbitrary php commands by passing main.php specially crafted parameters. For example,
main.php?cmd=setquality&var1=1'.phpinfo().'
will result in a "create_funtion()" call that will execute the phpinfo() command.
Updates
#1 submitted by patrik on Thu, 2009-07-16 20:38
| Status: | new | » in work |
Thanx for posting! This is by far the most serious bug I ever produced ...
Dou you have more examples?
Recent comments
40 weeks 6 days ago
48 weeks 6 days ago
1 year 3 weeks ago
1 year 42 weeks ago
2 years 16 weeks ago
2 years 42 weeks ago
3 years 48 weeks ago
4 years 13 weeks ago
4 years 18 weeks ago
4 years 34 weeks ago