EXPLOIT-DEV : CentOS 6.3 vs Ubuntu 12.04

There are many methods to exploit Local File Inclusion (LFI) of a vulnerability PHP web application in Linux systems. Some of them are invalid in the latest version of Linux distributions, I think. For example, those methods are processes injection, log files injection, session files injection and etc.



Unfortunately, in my recently research, I find out that PHP session files of CentOS 6.3 (maybe applied for previous versions) in default settings can be injected and loaded. However, Ubuntu 12.04 cannot. (Remarks : I did not check the other Linux distributions for this research.)



When the PHP session files can be injected and loaded along with LFI vulnerability, a remote shell can be obtained by attackers.



Basically, CentOS is a clone of RedHat Enterprise Linux.



Reference : Web vulnerabilities to gain access to the system



That's all! See you.