lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Tue, 04 May 2010 13:15:59 -0400
From: "Justin C. Klein Keane" <justin@...irish.net>
To: bugtraq@...urityfocus.com
Subject: Re: Puntal (index.php) Remote File Inclusion Vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I've found similar deficiencies in other "vulnerabilities" listed by
inj3ct0r sh3ll.

Justin C. Klein Keane
http://www.MadIrish.net

The digital signature on this message can be confirmed
using the public key at http://www.madirish.net/gpgkey

On 05/03/2010 04:39 PM, Tom Walsh - lists wrote:
> Both variables ($app_path and $puntal_path) are defined in the index.php
> file. As such they will never be overridden when the variables are passed
> via POST or GET. POST and GET variables are populated and placed into the
> global scope before the page is processed by the PHP processor engine
> (assuming register globals is enabled, which it hasn't been in a default PHP
> install in a long time).
> 
> Line 29 of index.php: $app_path = '/';
> Line 41 of index.php: $puntal_path = dirname(__FILE__).$app_path;
> 
> Additionally the following line (Line 43 of Index.php) calls a function
> specifically designed to unregister global variables in the global scope of
> the application.
> 
> This is not an exploit. Never was.
> 
> Nothing to see here... Move along.
> 
>> -----Original Message-----
>> From: eidelweiss@...erservices.com [mailto:eidelweiss@...erservices.com]
>> Sent: Monday, May 03, 2010 1:10 PM
>> To: bugtraq@...urityfocus.com
>> Subject: Puntal (index.php) Remote File Inclusion Vulnerabilities
>>
>> Puntal could allow a remote attacker to include malicious PHP files. A
> remote
>> attacker could send a specially-crafted URL request to the "index.php"
> script
>> using the "app_path=" OR "puntal_path=" parameter to specify a malicious
> PHP
>> file from a remote system, which would allow the attacker to execute
> arbitrary
>> code on the vulnerable system.
>>
>> Puntal 2.1.0 is vulnerable; other versions may also be affected.
>>
>> An attacker can exploit these issues via a browser.
>>
>> -=[P0C]=-
>>
>> http://127.0.0.1//path/index.php?app_path= [inj3ct0r sh3ll]
>>             or
>> http://127.0.0.1//path/index.php?puntal_path= [inj3ct0r sh3ll
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iPwEAQECAAYFAkvgVk8ACgkQkSlsbLsN1gC7HAb9FX3dMwlXSrXnnKboL9Bvy4Ty
S5xqbRUNFLVd06PmedXZ/Rx8OmFWR8YZpsLE39PZ+ri1hX8huQDFBm301iMFU+Q9
UeyiIBkra6jlf/WgSu5ZIFecHvd/GOU36rluV8CYSJhxoFh69UxihYSA9II2DeVv
nJIR1WAGeo0QJs4liaIoUE6YR6wy7ZEAg8/MLcR8RKlnQc3xyY0s0KIZ56TuFOUk
olKsvQBg3Wsw1DvPiOT5bdoOcXQjDr4ism/WUvZk1mub/g1Vlwj+d7mw61zuBp8v
eJjHF8pyQ+U4awRp5Rc=
=PoyY
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ