Saturday, February 17, 2007
Update to my previous post :)
Possibility to fetch files such as /etc/passwd
http://www.flconferences.com/download.php?file=/legionsec_1/archive/LegionSec'06___Vicente.pdf => Example
Click on the above link to see "Function.fopen"
When it lists out "fopen(/hsphere/local/home/flconf/flconferences.com/user_conference/legionsec_1/archive/LegionSec\'06___Vicente.pdf"
What amount of time will it take for an attacker, to manipulate this function and retrieve critical files as /etc/passwd or /etc/shadow
With this kind of information in hand, the extent of damage that can be done is "maximum"
Documentation for Function.fopen from PHP Website.
Full-Disclosure - We believe in it.