The first vulnerability allows an attacker to create a link for the following URL:
These characters are interpreted as the following:
< SCRIPT >alert(document.cookie)< /SCRIPT > (Note: spaces have been inserted to prevent code execution)
This allows the attacker to execute script on a victim's machine when the victim executes the malicious link. In this example, the script is executed on the victim's machine with the privileges of the yahoo.com web site. This may allow the attacker to obtain usernames and passwords from the user's cookie file.
The second vulnerability pertains to PHP functions that accept file names as one of its arguments. When allow_url_fopen is set to On in php.ini these functions also accept URLs instead of regular files. When a URL is accepted, the function connects the server in question with the correct protocol. In certain PHP scripts an attacker may be able to create a link to access other virtual hosts on a server or bypass other restrictions. The following link can be used to break out of restrictions and access site2.st instead of site1.st, which should be restricted, as long as site1.st and site2.st are virtual hosts on the same machine:
This sends the following HTTP query to www.site1.st:
GET /api?sunnan=visby&vind=gotland HTTP/1.0
The real header is sent along with the constructed header but is ignored due to two carriage return line feeds (CRLF) inserted before the header.
The second vulnerability also allows a remote attacker to connect to arbitrary ports and turn certain PHP scripts into proxies and open mail relays. The attacker can enter the following URL to force the PHP interpreter to connect to mail.site1.st
on port 25 and enter commands:
The following commands are entered by the PHP enterpreter:
GET / HTTP/1.0
i will never say the word PROCRASTINATE again