| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 8 Jun 2006 08:19:10 -0500
From: str0ke <str0ke@...w0rm.com>
To: "Federico Fazzi" <federico@...istici.org>
Cc: bugtraq@...urityfocus.com
Subject: Re: aWebNews <= 1.0 (login.php) Remote DocumentRoot file disclosure
Federico,
$pagetogo is only used as follows.
<META HTTP-EQUIV="refresh" content="1; URL=<?=$pagetogo;?>">
So the META refresh is disclosing something?
/str0ke
On 6/6/06, Federico Fazzi <federico@...istici.org> wrote:
> */ Federico Fazzi, <federico@...istici.org>
> */ aWebNews <= 1.0 (login.php) Remote DocumentRoot file disclosure
> */ 04/06/2006 5:48
>
> login.php: line 64-68,
>
> Bug:
>
> -- start --
> if ($_GET['page'] == "") {
> $pagetogo = "index.php";
> } else {
> $pagetogo = $_GET['page'];
> }
> -- end --
>
> Proof of concept:
>
> Open the browser and go at:
>
> http://example.org/aWebNews/login.php?page=/aWebNews/[some file]
>
> now insert login and password and press enter.. now you can
> read [some file] at documentroot master directory.
>
> Patch:
>
> --- login.php 2006-06-04 05:45:51.000000000 +0200
> +++ login.php 2006-06-04 05:44:22.000000000 +0200
> @@ -61,10 +61,8 @@
> }
> else
> {
> -if ($_GET['page'] == "") {
> +if ($_GET['page'] != 'index.php') {
> $pagetogo = "index.php";
> -} else {
> -$pagetogo = $_GET['page'];
> }
> ?>
> <div class="side-headline">Login </div><div align="center"><br>Your are logged in as:
> <b><?=$_SESSION['Username'];?></b><br>Please <a href="<?=$_SERVER['PHP_SELF'];?>?mode=logout">Logout.</a><br>
>
> */ end of file
>
>
Powered by blists - more mailing lists