Not-so-obvious Security Holes: include() and NUL.
Consider the following code:
if (!empty($_GET['template']) && strpos('/', $_GET['template']) === FALSE) {
include dirname(__FILE__).'/'.$_GET['template'].'.html';
}
Save it in display.php, and access it using a URL that looks like:
http://example.com/display.php?template=blue
At first glance, it only includes files in the current directory with the extension “.html”. This isn’t true; access the URL with the following instead and see what happens:
http://example.com/display.php?template=display.php%00
Ouch.
Read the rest of it…
Posted January 4th, 2010 | No Comments