I'm using the following code:
$data = json_decode($_GET["payload"]);
$env = $data->env;
putenv("MYENV=".$env);
But this function is being exploited. I have no idea how. The attacker can execute any code on my machine (Windows).
Does anybody have an idea how this is possible or how to fix it?
Because some enviroment variable are dangerous like LD_PRELOAD on linux. Generally this not depend exclusively by putenv, but by other possible vulnerability in you code (eg if you exec something that use some magic configuration via enviroment this may led to the exploitaition)
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.