

Online PHP Emulator - datawalke
http://scripterous.com/

======
lucumo
Explored a bit and sent the guy an email at the whois address of another
domain that seems in his possession. The email address in scripterous.com
seems broken. root@localhost doesn't seem to get read.

Hi,

Your site scripterous.com is a security leak for your server. I was able to
kill web server processes, investigate your server, and generally do things I
shouldn't be able to do. A denial of service attack would be easy by
constantly killing the web server and if there was a local root exploit (which
I didn't look for) I could have executed that as well.

I wanted to send an email to the root account on the server, but it doesn't
seem to get read.

You can view a bit more of the discussion on the security implications at
<http://news.ycombinator.com/item?id=827500> (Despite the name and the subject
we're discussing, that site is normally not about this kind of hacking.)

Your site is an interesting concept and it would definitely be interesting to
have it around. Nonetheless I fear that the concept of the site is the cause
of the security leaks. I'm not a security expert, but it is my opinion that
it's not possible to make a site like this secure, without reimplementing PHP.

Best regards,

[Real name omitted, because I don't want this nick name to show up when people
search my real name.]

------
jawngee
Sweet, an open mail relay:

<?php echo `echo 'hello' | mail -s Hello darth.vader@yahright.com`; ?>

~~~
jkkramer
Poor guy didn't think this through very well...

    
    
        <?php
        $fn = "shel" . "l_exe" . "c";
        echo nl2br(htmlentities($fn("cat response.php")));
        ?>

~~~
colonelxc
Only "security" is this array of items which are regexed out of whatever you
submit (and as you pointed out, completely fail to even prevent those
functions from being called.

$replace = array('<?php', '?>', '<?', 'mkdir', 'eval', 'exec', 'copy', 'move',
'curl', 'passthru', 'system', 'popen', 'proc_close', 'proc_open', 'proc_
terminate', 'proc_nice', 'shell', 'dl');

------
datawalke
Well, that is what I get for uploading and old project without taking in some
consideration on it. Thank you to lucumo for the head's up on this and the
rest of your for your exploits. Things should be a bit more secure now.

------
pierrefar
Horrible security hole.

mail() is working.

Can read and browse various directories using opendir() and friends.

------
clemesha
Online Python emulator: <http://live.codenode.org> (uses Google App Engine to
execute the code). Screenshots and docs on the homepage here:
<http://codenode.org>

~~~
siddhant
For Python, there is <http://shell.appspot.com> as well.

------
deutronium
<http://codepad.org/> is pretty similar, it can do lots of other languages
though as well like C, C++, Python...

------
jacktasia
I've been using something similar for a while but you download it and run it
locally (hopefully):

<http://www.hping.org/phpinteractive/>

------
_ck_
It's not just an emulator, it's running real, full PHP (try PHPINFO).

Not in safe-mode, also running eaccelerator. It will be cracked within a week,
I am sure.

    
    
      $handle = opendir('.');   
      while (false !== ($file = readdir($handle))) {echo "$file\n";}

~~~
colonelxc
A week? I wouldn't give it that long.

------
zackattack
Fun thread.

../tmp/ is writeable.

------
ilyak
The poor guy could take quercus and make it safe. He didn't because he's still
a PHP kid.

------
daok
You can see some warning at the top of the page...

Warning (512): Cache not configured properly. Please check Cache::config(); in
APP/config/core.php [CORE/cake/libs/configure.php, line 663]

Warning (2): array_merge() [function.array-merge]: Argument #1 is not an array
[CORE/cake/libs/configure.php, line 684]

Warning (2): array_merge() [function.array-merge]: Argument #1 is not an array
[CORE/cake/libs/configure.php, line 691]

...

