php code injection attack

Submitted by rollins on Tue, 2009-07-07 02:28.

You can execute arbitrary php commands by passing main.php specially crafted parameters. For example,

main.php?cmd=setquality&var1=1'.phpinfo().'

will result in a "create_funtion()" call that will execute the phpinfo() command.

Updates

Status:

new

» in work

Thanx for posting! This is by far the most serious bug I ever produced ...
Dou you have more examples?