OpenID in PHP
Phil Harnish
philharnish at gmail.com
Wed Jun 29 21:19:45 PDT 2005
What if they just encode a newline and add a more malicious shell
command of their own?
If it's the file's contents that you want, you really need to read the
file yourself using a PHP method, perhaps "file_get_contents"?
- Phil
On 6/29/05, Ted Pennings <ted at hostleft.com> wrote:
> *finally realizes this listserve doesn't sent a Reply-To header*
>
> Don't forget about > and < in the command.
>
> I've actually had a website hacked due to something like this line of
> code and > a few years ago (about 5, when I was a noob).
>
> -Ted
>
> ---------------------------------------------------
> Host Left Web Hosting http://www.hostleft.com
> Ted Pennings (.com) http://www.tedpennings.com
> Mobile Phone: 1.951.640.4092
> AOL Instant Messenger: thesleepyvegan
>
>
> On Jun 29, 2005, at 1:15 PM, Kristopher Tate wrote:
>
> > Ah, sorry about that last bit -- gotcha.
> >
> > Here's a fix:
> >
> >> //Get secret
> >> $secret = shell_exec('cat
> >> /tmp/oid-shared_secret-
> >> '.addcslashes($_GET['openid_assoc_handle'],';.\+*?
> >> [^]($)#').'.secret');
> >
> > Thanks,
> >
> > -Kris
> >
> > On 2005/06/29, at 1:02 PM, Xageroth Sekarius wrote:
> >
> >> secret is, but you were shell_exec'ing straight from a global
> >> variable. What prevents openid_assoc_handle from being set to
> >> something malicious? Maybe I misunderstood.
> >
> >
> >
>
>
More information about the yadis
mailing list