There is a security problem that can getshell #237
Comments
|
What is your suggestion ? |
|
after the install.php,delete config-setup.php by the php code |
|
This already works, and many more features are availables on the following fork: https://github.com/pixeline/bugs/issues |
|
But it didn't delete the file on my computer,is there anything wrong with it? |
|
No. |
|
But finish the install,the config.app.example still exists,and you need to delete the config.app.example after the installation by the php-code. |
|
No. |
|
but i can cause a security proble |
|
That's solved in more recent forks like the one I mentionned before. |
|
no, https://github.com/pixeline/bugs also exists this problem,look at this |
|
The same code. I know. |
|
So it is a security problem by default setting.It should be delete or rename the install file after the installation by the install program. |
|
Where do you get such screenshots from ? |
|
Please explain better the issue you've found. |
|
I build the environment on my computer. PostData is '),'a'=>var_dump(phpinfo()))?> |
|
For sure, with any open source code, you can change the code and force it to do something which has not been planned by the initial project. Your initial sentence was:
What is "getshell" ? |
|
"Getshell" means remote command execute,an attacker can execute command on your service |
|
Ok. |
|
the hacker just need to repeat my postdata create_config=123&database_host=%27%29%2C%27a%27%3D%3Evar_dump%28phpinfo%28%29%29%29%3F%3E like this,the attacker can execute any code if he liked |
|
If, and only if the attacker
Or maybe you put the create_config= in the install page's field. |
|
Yeah,by the default setting,hacker can access the install/config-setup.php easily. |
|
I tried you code
replacing "localhost" in the install form. I got an error from system, not any kind of phpinfo() page. |
|
Next, I'll try to replace the "create_config" value with your code. |
|
Doing so: nothing like a phpinfo() again. |
I would like to help people to avoid that. But I'm still unable to redo what you're doing. |
|
ok,i'll show you the code in a minutes |
the code using python 2.7,you just need to edit the url |
|
Nice. |
|
https://github.com/pixeline/bugs 's install now delete de config file. |
|
it's okay. |
|
For any further suggestion, please comment on https://github.com/pixeline/bugs |


problem file at install/config-setup.php line 13
$config_file = str_replace('localhost', $_POST['database_host'], $config_file);
cause a security problem that can getshell
poc:
POST /install/config-setup.php
datas:create_config=123&database_host=%27%29%2C%27a%27%3D%3Evar_dump%28phpinfo%28%29%29%29%3F%3E
finally,at the config.app.php, you can the phpinfo();
Thank you very much
The text was updated successfully, but these errors were encountered: