If you can control the input to PHP's file_exists, you might be able to launch a deserialisation payload via a PHAR file :D https://blog.secarma.co.uk/labs/near-phar-dangerous-unserialization-wherever-you-are … Great bit of research :)
-
-
I *believe* so
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
Apologies, I’m afraid url_fopen off doesn’t protect from this - phar:// is strictly a local wrapper where url_fopen can be used to disable the remote wrappers..
-
Any ini settings which do turn off URL wrappers?
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.