[Info-vax] Using VMS for a web server
Simon Clubley
clubley at remove_me.eisner.decus.org-Earth.UFP
Tue Jun 9 20:32:58 EDT 2015
On 2015-06-09, Jan-Erik Soderholm <jan-erik.soderholm at telia.com> wrote:
>
> OK. That needs a script called wawalo.php already beeing on the server
> in a directory where the server can execute it. The exploit is realy
> to be able to upload the wawalo.php file in the first place.
>
Actually what I read it as was that a PHP script installed for a
legitimate purpose on the server (as part of, say, a PHP application)
had a vulnerability which allowed attacker controlled commands to
be executed.
> If you have a server setup where someone can both upload a random
> file and then also execute that file just like that frm the same
> directory, you have a severe problem.
>
> Now, is this a "hole in PHP"? Or could the same thing be done
> using any tool that can take an input parameter and execute it?
>
In this case, I think I would class this as a PHP application
vulnerability and not a PHP vulnerability itself.
However, speaking as someone who has actually written PHP code, the
negative reputation the language itself has in some quarters is well
justified.
Simon.
--
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980s technology to a 21st century world
More information about the Info-vax
mailing list