Is PHP vulnerable and under what conditions?

We are going to analyze a special method of attacking Web Servers. It is known as LFI with PHP Info vulnerability [1]. It was first publish by Insomnia Sec at 2011. The method clever handles some PHP build-in features (such as upload and wildcards [2]) to accomplish a well formed attach that will end up with an arbitrary code execution (call me remote shell) on the victim's server. Requires two specific flaws on the server: A phpinfo() function must be available along with a LFI vulnerability. By combining the above two, a high risk attack can be implemented. The method has been tested successfully on Windows as well as Linux operating systems on IIS and Apache web servers. The same method failed on NginX web server.

How safe is our personal information?

What you will learn

• How bad guys use information already exists on the net to gain access to:
• your email accounts,
• your financial information such as credit cards, PayPal accounts etc,
• your internet hosting accounts (if you have any),
• your personal web sites,
• your personal life in general!
• How you can protect yourself by such bad situations by following some very simple but very efficient security rules.

The actual incident that this article is based on was 100% real but for privacy reasons all referred user names are not the real ones and they have been chosen randomly. According to the same reason all images have been obscured.