[pmwiki-users] pmwiki exploit
Nils Knappmeier
nk at knappi.org
Tue Sep 5 07:17:48 CDT 2006
Hi,
I verified it, and it really works. Appearently, PHP does have a problem
unsetting variables under some circumstances. Actually, the following
statement at the beginning of pmwiki.php should prevent such an attack:
if (ini_get('register_globals'))
foreach($_REQUEST as $k=>$v) {
if
(preg_match('/^(GLOBALS|_SERVER|_GET|_POST|_COOKIE|_FILES|_ENV|_REQUEST|_SESSION)$/i',
$k)) exit();
unset(${$k});
}
But due to the PHP problems, it does not really work. The exploit uses
this problem to set the value of $FarmD, which is used in several
include-Statements. It "includes" a PHP file from a remote server which
is then executed on the local PmWiki installation and can execute
arbitrary commands.
I think the problem can be solved by inserting
${$k} = "";
directly above the line "unset(${$k})". In this case, if someone tries
to inject a false $FarmD, it will be set to an empty string.
Nils
PS: I'd feel bad sending the exploit over this list, but if anyone wants
to see it and has trouble finding it, I can point you to the URL.
More information about the pmwiki-users
mailing list