php code injection attack
Submitted by rollins on Tue, 2009-07-07 02:28.
| Project: | phpAlbum.net |
| Version: | 0.4.1-14_fix05 |
| Component: | Code |
| Category: | bug |
| Priority: | critical |
| Assigned: | patrik |
| Status: | in work |
Description
You can execute arbitrary php commands by passing main.php specially crafted parameters. For example,
main.php?cmd=setquality&var1=1'.phpinfo().'
will result in a "create_funtion()" call that will execute the phpinfo() command.
Updates
#1 submitted by patrik on Thu, 2009-07-16 20:38
| Status: | new | » in work |
Thanx for posting! This is by far the most serious bug I ever produced ...
Dou you have more examples?
Recent comments
2 days 9 hours ago
3 days 7 hours ago
3 days 7 hours ago
4 days 4 hours ago
4 days 15 hours ago
5 days 3 hours ago
5 days 23 hours ago
1 week 4 days ago
1 week 4 days ago
1 week 5 days ago