I remember reading an article in 2600 where someone figured out that quite a few websites took a PHP filename as a query arg to be eval'd... and some subset of those had no mechanism in place to restrict it to local files. Needless to say, they could point that arg to example.com/malicious.php and have it run on the vulnerable box.
The best part was that they constructed a Google query to find sites that would eval remote PHP code. It was something else!
That was my first lesson in validating any external input. Learned the hard way, in my first six months of building websites professionally. Happily, the hosting provider put me onto a helpful tech guy who walked me through what I'd done and how to avoid it. There was a lot less 'common knowledge' and 'everyone knows' in 2001.
...a vulnerability that affected near zero actual servers. (I know because I scanned for it shortly after the announcement) Everyone uses FastCGI or mod_php and friends.
I remember reading an article in 2600 where someone figured out that quite a few websites took a PHP filename as a query arg to be eval'd... and some subset of those had no mechanism in place to restrict it to local files. Needless to say, they could point that arg to example.com/malicious.php and have it run on the vulnerable box.
The best part was that they constructed a Google query to find sites that would eval remote PHP code. It was something else!