Yasuo Ohgaki wrote: > We have been tried to educate users already and introduced some > mitigations e.g. allow_url_include, open_basedir. > > However, enough time is passed to prove that wasn't enough, isn't it? > > PHP (many and these are _only_ few of them in the wild) > http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=PHP&filter_author=&filter_platform=0&filter_type=0&filter_lang_id=0&filter_exploit_text=inclusion&filter_port=0&filter_osvdb=&filter_cve=
I've arbitrarily checked the top most entry (u5CMS), and the LFI was caused by `echo file_get_contents($_GET['...'])` basically. There was neither include|require(_once) involved, nor move_uploaded_file(). From my, admittedly very limited, experience, this is a rather common source of LFI vulnerabilities in PHP applications. I'm afraid that educating developers is the only way to avoid this kind of vulnerability. -- Christoph M. Becker -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
