EasyPHP codetester remote exploit

After my little IE/Apache bug excursion I decided to join the EasyPHP forum. I use EasyPHP as my private development setup when on Windows. I’ll maybe move over to CentOS under Hyper-V as some point. Back on topic, while browsing through the articles related to the latest release, I discovered an interesting one by forum member o2326570. He highlights an EasyPHP codetester remote exploit. The exploit allows a malicious webpage to execute any php script it wants on your local development environment. That’s a little bit scary. The exploit takes advantage of the Code Tester’s trusting nature. Since the Code Tester is not essential to your site, the quickest way to fix it is to delete it. I decided to try to plug the hole though, someone was going to do it at some point, so why not me.

Fixing the bug on my shiny new Windows 8 setup involves using what I find as one of the worst named security practices, a nonce. To be topical I should have used $_SESSION[‘Jimll_fix_it’] but I was more concerned with getting the fix working than injecting bad humour into the code.

EasyPHP codetester remote exploit – fix

I’ve described the fix for the EasyPHP codetester remote exploit over at the EasyPHP forum. For those who don’t want to manually change the php files, I’ve uploaded the fix to Github. Don’t worry if you don’t use git, there’s a “zip” button at the top that’ll download the fix in a .zip file.

I think the EasyPHP people will fix it in the next release so the Github code won’t need to be used for long. In the meantime feel free to use it if you need it.

So, EasyPHP codetester remote exploit, consider yourself fixed. Cue security professionals telling me I haven’t actually fixed it because of scenario x, y and z…

4 thoughts on “EasyPHP codetester remote exploit”

  1. Fusberta Sylvain's cheaper website says:

    Can you please send an e-mail to me the code for this script or please tell me in detail about this script?

    1. me says:

      Hi, there’s a link to the script hosted on github in the post.

  2. luban says:

    You really make it appear really easy with your presentation however I to find this topic to be really
    something which I feel I would never understand. It kind
    of feels too complicated and extremely wide for me.
    I am looking forward on your subsequent put up, I’ll attempt to get the dangle of it!

  3. Evening says:

    My brother recommended I might like this web site. He was entirely right. This post actually made my day. You can not imagine simply how much time I had spent for this info! Thanks!

Comments are closed.