Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 10 Oct 2014 21:43:48 +0200
From: Jann Horn <>
Subject: Re: What does this PHP exploit do?

On Sat, Oct 11, 2014 at 06:28:04AM +1100, Dave Horsfall wrote:
> I'm trying to figure out what this exploit does; it started around the 
> time that Shellshock did, but I don't think that they're related.

> The hex-encoded stuff in the script below decodes to 
>     "-d+allow_url_include=on+-d+safe_mode=off+-d+suhosin.simulation=on+-d+disable_functions=""+-d+open_basedir=none+-d+auto_prepend_file=php://input+-d+cgi.force_redirect=0+-d+cgi.redirect_status_env=0+-n" 
> but my PHP-fu doesn't quite extend that far (and that "safe_mode=off" 
> looks a bit suss).

Looks like CVE-2012-1823 to me:

Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.