Michal Majchrowicz wrote:
Due to "security reasons" many Web Browsers doesn't allow cross
domain XMLHttpRequests.
[..]
hi Michal, personally i don't get your point (to me it seems just
an hybrid implementation using both server side and client side
scripting) but i'm sure you can better explain your intents
from what i saw it asks a php page to make an http query to the foreign
domain and then display back the page contents using js
so i suppose this is not a vulnerability at all, just an implementation
to (??) pass to javascript remote contents fetched using a machine !=
from the client/browser/whenether
anyway your implementation is a bit flawed
http://sectroyer.110mb.com/myhttp.php?url=file://myhttp.php&method=get
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
<?php
if(isset($_GET['url'])==true)
{
$curl=curl_init();
curl_setopt($curl,CURLOPT_COOKIE,$_GET['cookie']);
curl_setopt($curl,CURLOPT_URL,rawurldecode($_GET['url']));
curl_setopt($curl,CURLOPT_RETURNTRANSFER,1);
if(($_GET['method']=="post") && (isset($_GET['vars'])==true))
{
$vars=rawurldecode($_GET['vars']);
curl_setopt($curl,CURLOPT_POSTFIELDS,$vars);
}
$tmp=curl_exec($curl);
curl_close($curl);
echo "myglobalcallback(\"".rawurlencode($tmp)."\");";
}
?>
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
this is basically a proxy, it can make get/post requests to http
only hosts, saturate the server bandwidth *PLUS* naturally fetch any
local file : )
http://sectroyer.110mb.com/myhttp.php?url=file:///etc/passwd&method=get
please correct me if i misunderstood
best regards,
Francesco `ascii` Ongaro
http://www.ush.it/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
