Monday, April 13, 2015

Is PHP vulnerable and under what conditions?

We are going to analyze a special method of attacking Web Servers. It is known as LFI with PHP Info vulnerability [1]. It was first publish by Insomnia Sec at 2011. The method clever handles some PHP build-in features (such as upload and wildcards [2]) to accomplish a well formed attach that will end up with an arbitrary code execution (call me remote shell) on the victim's server. Requires two specific flaws on the server: A phpinfo() function must be available along with a LFI vulnerability. By combining the above two, a high risk attack can be implemented. The method has been tested successfully on Windows as well as Linux operating systems on IIS and Apache web servers. The same method failed on NginX web server.