Wait for an exploit-all.php

Question

Wait for an exploit-all.php

wgetnz opened this issue 3 years ago · 1 comments

As the title

Answer 1 · 2022-01-08T10:02:43.000Z

I'm not the author of this project but rather someone testing it against my own servers and planning for it.

Personally if you are working on a project that allows users to enter PHP code then what I would recommend for something like this is a custom script that checks each condition and reports on the items that fail (or while not ideal manual testing on a single server if needed).

I'm aware of another open PHP bug that can crash servers which I've been testing. In this case if someone had 10 separate bugs and tested each condition with a single script they would not know which one takes the server down. However with a custom script that checks each script and reports one by one the error script can be determined. Same goes for the great code in the project. While it might not take a server down it allows a end-user to bypass critical security code in the standard environment which is enough to access anything on the server.

Probably most people (myself included) assume servers should be save by default but great projects like this prove otherwise so if security is a high priority, then unfortunately a lot of custom testing or scripts are typically needed.

Do you have a custom setup that allows users to enter PHP code? If so I would be curious on hearing details because code in the project can likely bypass it. There are always solutions but it takes time.