Hi,
2012/4/10 Stas Malyshev <[email protected]>:
> Hi!
>
>> 1. Find FLI vulnerable application.
>> 2. Find a way to inject $_SESSION
>> 3. Use session file to execute arbitrary PHP code.
>
> So, you assume you have broken application with no security AND it
> allows you to inject arbitrary data in the session (which probably means
> broken authorization too) and then somehow it's PHP vulnerability? I'm
> sorry but this does not make too much sense to me. If you have an
> application that allows to execute arbitrary code on external request,
> this app has no security. How it is a vulnerability in PHP?
It's a design vulnerability. It is not has to be attack-able security hole
without broken code. There are many security issues and countermeasure
like this. e.g. register globals in PHP, stack smashing attack in C, etc.
Some people are trying to introduce TAG less execution. Wise choice for
TAG less execution would be removing famous LFI vulnerability from PHP.
Regards,
P.S. BTW, LFI is not only good for execution, but also information disclosure.
Just is case, people on this thread didn't realize it.
--
Yasuo Ohgaki
[email protected]