lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 3 May 2010 15:39:23 -0500
From: "Tom Walsh - lists" <mailinglist@...resshosting.net>
To: <bugtraq@...urityfocus.com>
Subject: RE: Puntal (index.php) Remote File Inclusion Vulnerabilities

Both variables ($app_path and $puntal_path) are defined in the index.php
file. As such they will never be overridden when the variables are passed
via POST or GET. POST and GET variables are populated and placed into the
global scope before the page is processed by the PHP processor engine
(assuming register globals is enabled, which it hasn't been in a default PHP
install in a long time).

Line 29 of index.php: $app_path = '/';
Line 41 of index.php: $puntal_path = dirname(__FILE__).$app_path;

Additionally the following line (Line 43 of Index.php) calls a function
specifically designed to unregister global variables in the global scope of
the application.

This is not an exploit. Never was.

Nothing to see here... Move along.

> -----Original Message-----
> From: eidelweiss@...erservices.com [mailto:eidelweiss@...erservices.com]
> Sent: Monday, May 03, 2010 1:10 PM
> To: bugtraq@...urityfocus.com
> Subject: Puntal (index.php) Remote File Inclusion Vulnerabilities
> 
> Puntal could allow a remote attacker to include malicious PHP files. A
remote
> attacker could send a specially-crafted URL request to the "index.php"
script
> using the "app_path=" OR "puntal_path=" parameter to specify a malicious
PHP
> file from a remote system, which would allow the attacker to execute
arbitrary
> code on the vulnerable system.
> 
> Puntal 2.1.0 is vulnerable; other versions may also be affected.
> 
> An attacker can exploit these issues via a browser.
> 
> -=[P0C]=-
> 
> http://127.0.0.1//path/index.php?app_path= [inj3ct0r sh3ll]
>             or
> http://127.0.0.1//path/index.php?puntal_path= [inj3ct0r sh3ll

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ