[Owncloud] [URGENT] "movable apps" exploitation
Florian Hülsmann
fh at cbix.de
Mon May 7 11:39:22 UTC 2012
The service I'm talking about is bplacd.net, it throws the following
exception:
> Warning: realpath() [function.realpath]: open_basedir restriction in
effect. File(/users/xxxx) is not within the allowed path(s):
(/users/xxxx/temp:/users/xxxx/www) in /users/xxxx/www/test.php on line 2
So at least it has no effect.
Florian
Am 07.05.2012 13:32, schrieb Georg Ehrke:
> could you define 'don't allow realpath()'
> Does realpath just return false / null or will it trigger a PHP Fatal function not found?
>
> Am 07.05.2012 um 13:30 schrieb Florian Hülsmann:
>
>> Thanks :) But there are several shared hosts that don't allow realpath() execution (for "security reasons" -.-), are we gonna support them..?
>>
>> Florian
>>
>> Am 07.05.2012 13:25, schrieb Georg Ehrke:
>>> It's fixed (https://gitorious.org/owncloud/owncloud/commit/d032345191c57294d5723639f777692c85bd2b1a)
>>> It seems like there has been ******* merge conflicts which caused this fail. (I actually fixed this earlier)
>>> It should now return a 404.
>>>
>>> Cheers,
>>> Georg
>>>
>>>
>>> Am 07.05.2012 um 13:12 schrieb Florian Hülsmann:
>>>
>>>> /owncloud/?app=files&getfile=/../../data/bestfriend/files/hack.php
>>>>
>>>> I don't think I have to be more specific.
>>>>
>>>> Florian
>>>>
>>>> --
>>>> Florian Hülsmann
>>>> <fh at cbix.de>
>>>> http://cbix.de
>>>> _______________________________________________
>>>> Owncloud mailing list
>>>> Owncloud at kde.org
>>>> https://mail.kde.org/mailman/listinfo/owncloud
>>>
>>
>> --
>> Florian Hülsmann
>> <fh at cbix.de>
>> http://cbix.de
>
--
Florian Hülsmann
<fh at cbix.de>
http://cbix.de
More information about the Owncloud
mailing list