httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 57330] Server Side Includes ~ SSI~Injection
Date Mon, 08 Dec 2014 16:34:13 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=57330

--- Comment #2 from Mahmoud El Manzalawy <is4curity@gmail.com> ---
we can use our commands bypass disable function and read eny file on server 
you can see screenshot

the defect 

if mod_include work that make me can execute command 

in ssii.php whene check input var

u can edit source by  (Brup suite)

and make value is your command

u will see results 

u can stop that by regular expressions check first name and last name not only 
a-z

echo error 

see attachment

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message