OpenID in PHP

Phil Harnish philharnish at gmail.com
Wed Jun 29 21:19:45 PDT 2005


What if they just encode a newline and add a more malicious shell
command of their own?

If it's the file's contents that you want, you really need to read the
file yourself using a PHP method, perhaps "file_get_contents"?

- Phil

On 6/29/05, Ted Pennings <ted at hostleft.com> wrote:
> *finally realizes this listserve doesn't sent a Reply-To header*
> 
> Don't forget about > and < in the command.
> 
> I've actually had a website hacked due to something like this line of
> code and > a few years ago (about 5, when I was a noob).
> 
> -Ted
> 
> ---------------------------------------------------
> Host Left Web Hosting           http://www.hostleft.com
> Ted Pennings (.com)       http://www.tedpennings.com
> Mobile Phone:                                           1.951.640.4092
> AOL Instant Messenger:                          thesleepyvegan
> 
> 
> On Jun 29, 2005, at 1:15 PM, Kristopher Tate wrote:
> 
> > Ah, sorry about that last bit -- gotcha.
> >
> > Here's a fix:
> >
> >> //Get secret
> >>      $secret = shell_exec('cat
> >> /tmp/oid-shared_secret-
> >> '.addcslashes($_GET['openid_assoc_handle'],';.\+*?
> >> [^]($)#').'.secret');
> >
> > Thanks,
> >
> > -Kris
> >
> > On 2005/06/29, at 1:02 PM, Xageroth Sekarius wrote:
> >
> >> secret is, but you were shell_exec'ing straight from a global
> >> variable. What prevents openid_assoc_handle from being set to
> >> something malicious? Maybe I misunderstood.
> >
> >
> >
> 
>


More information about the yadis mailing list