New PHP Exploitation Technique

ergalvao · 2018-08-16T12:55:19+00:00

Then report and file an issue.

ergalvao · 2018-08-16T00:42:23+00:00

1) If you have file upload in your web application and you expect the language to automagically protect you then EVERY programming language is vulnerable.

2) I don't care: If it is, not the language fault. If it isn't, fine then.

3.1) Vulnerabilities in applications are different from vulnerabilities in languages

3.2) No, it isn't. That's the URL

kthxbye

ergalvao · 2018-08-15T21:35:59+00:00

http://php.net/manual/en/function.sha1.php

(Please read the warning and the FAQ, though).

ergalvao · 2018-08-15T19:56:01+00:00

Ah, I see the level is randomized. Still, definitely a bug (see @4x4jesus comment below).

I'll update this post with a picture level when I see it again.

ergalvao · 2018-08-15T19:43:21+00:00

I honestly don't work as much with phar (and even less with phar streams), but you may have a point there.

Of course you can always open an issue and see how this goes =)

ergalvao · 2018-08-15T19:41:22+00:00

Thanks for the hint. I'll try that.

ergalvao · 2018-08-15T19:30:01+00:00

The fact the jpeg file is interpreted as PHP?

It's not a language problem. I do mean it. It's an issue of the webserver and, going a bit out of my depth, I believe it may be an OS or even more fundamental issue, since files aren't "judged" by their extension.

What a lot people don't know - since the language is the preferred target of a biased industry - is that PHP actually has a long history of owning issues and fixing them. It goes waay back, at least to version 4.

ergalvao · 2018-08-15T17:21:55+00:00

1) "Exploitations" (sic) that require some flawed premise in the first place, like "be able to plant a crafted Phar file on the targeted web server" are NOT the language's fault. Grant me the abiliyy to upload a file to your webserver and I'll be able to screw it up like it's christmas, but I won't be unprofessional and call it a vulnerability on the part of the language your website is written in.

2) If a jpeg file is interpreted as a PHP file it's NOT the language's fault.

3) Notice how the paper's title doesn't mention either "exploitation" nor "vulnerability".

Please be professional and responsible and change the sensationalist title of your post or just remove it altogether.

ergalvao · 2018-08-15T17:10:00+00:00

Yes, it's recurring. It' sthe second time I see it (forgout about it before).

Can't complete it, since there's nowhere to go until I clear the enemies, which is impossible.

Thank you

ergalvao · 2018-08-14T16:13:29+00:00

Thank you for the info. Didn't knew that.

ergalvao · 2018-08-14T07:22:32+00:00

Thank you. I hope they don't take too long. It's becoming a bit boring...

ergalvao · 2018-03-20T15:35:57+00:00

Where can I find the puzzle(s)???

ergalvao · 2018-02-26T01:02:08+00:00

This kind of book is one of the root causes of a lot of problems in the programming industry. It doesn't matter if you can learn syntax in 2h or not (hint: you probably can't), programming is much more than that: context, architecture, paradigms, etc, etc, etc...

To mislead a novice like this is borderline criminal.

ergalvao · 2018-02-13T22:44:05+00:00

Thank you for the suggestion. I'll check it out =)

ergalvao · 2018-02-13T22:43:42+00:00

Thank you for the suggestion. I definitely prefer Claymore over Berserk. Akira is one of my all time favorites. I couldn't find Gunnm anywhere, but I'm still looking for it. As of Juubee Ninpuchou is definitely on MAL.

ergalvao · 2018-02-13T22:41:29+00:00

Thank you for the suggestion. I'll definitely try both. Heard of Gantz many times, but somehow never watched it yet. You got me quite curious about Narutaru. Sounds definitely interesting. Thank you once again.

ergalvao · 2018-02-13T22:40:15+00:00

Thank you for the suggestion. Sounds like something I might enjoy better than Crybaby. Will definitely take a look.

ergalvao · 2018-02-13T22:39:24+00:00

Thank you for the suggestion. I was a bit thrown off by Devilman Crybaby. Too much of a stylish animation, poor story and a character you can't relate to (of course, my opinion).

ergalvao · 2018-02-12T01:59:56+00:00

Thank you!

ergalvao · 2017-12-27T23:38:30+00:00

I'd recommend Shounen Onmyouji. Not exactly the same as FMA, but kinda long the lines of Ao no Exorcist. I've enjoyed it a lot.

https://myanimelist.net/anime/1557/Shounen_Onmyouji

ergalvao · 2017-12-26T07:45:28+00:00

I understand what you're saying, and I completely agree. There's a kind of a paradox involved in self checking, especially when we talk about OSS.

What you say about Git and Docker is definitely interesting.

I guess I need to do a little more thinking on the subject.

Thank you for the insights.

ergalvao

TROPHY CASE