Well, I think enough time has passed, and you can write about it.
And in order to avoid what happened after the publication of the article on the Rambler, and not to go to the ban, I waited, wrote to the administration, the vulnerability was closed. So, I write with a completely pure soul.
New leaky bun
So, the guys from qip.ru on their site made a choice of the city in which you live. I will leave the date and time of the experiments with me, otherwise it will not be good, but I will say that not so long ago.
After selecting a city, you receive information about the weather in your city, that is, a rather convenient plush toy. Well, like everyone else, I decided to use it, and took advantage. And it turned out that the service is very interesting, for some.
Inspection
Having poked this menu with the mouse, the city was selected, and the headers sent to the server were tracked. POST data look like this:
code = RU_14_41145_24959
')
Having a little looked around, we try to transfer to the script various parameters, changing them as we can. And voila, in the last parameter, a surprise awaits us. We pass something like:
code = RU_14_41145_24959abrabr! 1
and see the beauty:
Oops, lfi, local file incl. Just lovely! Well, that's all, empirically, the attacker picks up the number of lifts relative to the root directory, and is able to view various system files, including server configuration files. And if you log the Apache logs, after having provided them with a “poisonous code” in the User-Agent field, then this will generally be a full-fledged shell. Well, we are good guys with you, so we did not do this.
Good boys
They wrote off the administrations, talked with their leading programmer on ICQ, and found mutual understanding. Fortunately, the programmer they have a good guy, and we talked well. I explained that where he closed. The truth is not closed the first time, at first they made a replacement "/" in the variable, that is, it was possible to use "\", and only a week after the first file, they patched it completely. That's all, and the moral of this post is this: filter the post, do not use Explode, for you will be lost among the arrays, and you will not filter the necessary one, as it happened with qip.ru.