Y
Hacker News
new
|
ask
|
show
|
jobs
by
moduloo
4279 days ago
> but fastcgi_params does not put attacker controlled data into environment variables
it does
https://gist.github.com/anonymous/ea60dc2915eccf0b803e
1 comments
xorcist
4279 days ago
It looks like you have dumped the a PHP global variable, possibly $_ENV. Do you know of any circumstances where _ENV, or any other PHP variable with potentially untrusted data, is passed in environment variables?
link
moduloo
4279 days ago
i'm working on it it, but it looks like it works only under rare conditions
link