ush.it - a beautiful place

PHP import_request_variables() arbitrary variable overwrite

March 9, 2007 at 3:29 am - Filed under Hacks, Language EN - 1401 words, reading time ~4 minutes - Permalink - Comments

My friend Stefano di Paola and I have discovered that a PHP function used to emulate register_globals on is able to overwrite any variable (also $_SESSION and $_SERVER) with the exception of $GLOBALS. Naturally during the Month of PHP bugs :)

Php Nuke wild POST XSS

March 9, 2007 at 12:47 am - Filed under Hacks, Language EN - 1530 words, reading time ~5 minutes - Permalink - Comments

To demonstrate the import_request_variables() bug i've exploited a XSS flaw in PHP NUKE 8.0 that has an anti-CSRF routine. The import_request_variables() vulnerability will permit you to exploit a wide range of vectors (XSS, remote file inclusion, remote code execution, SQL injections, etc.) on software that makes use of it.

Reed's Alert! Got something burning? Tell USH team.
THP USH Wisec DigitalBullets