lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <17255.1052559397@www37.gmx.net>
Date: Sat, 10 May 2003 11:36:37 +0200 (MEST)
From: ScriptSlave@....net
To: bugtraq@...urityfocus.com
Subject: Re: II-Labs Advisory: Remote code execution in YaBBse 1.5.2 (php version)


>SSI.php:
>------------------------------------------
>include_once ($sourcedir . '/Errors.php');
>include_once ($sourcedir . '/Subs.php');
>include_once ($sourcedir . '/Load.php');    
>------------------------------------------

You should probably quote the lines above this block, too.

------------------------------------------
(Line #031) $full_yabbse_path = '.';
(Line #048) include_once ($full_yabbse_path . '/Settings.php');
------------------------------------------

and you should quote Settings.php:

------------------------------------------
(Line #067) $sourcedir = "/home/something/board/Sources";
------------------------------------------

so before Errors.php is included, $sourcedir is *always* set to a value,
overwriting any variable that is passed through the URL.

>We can define $sourcedir variable through URL and include some other
>PHP script local or remote if remote inclusion is enabled in php.ini file.
>Bug in not exploitable if PHP's registar_globals is set to off. 

see above - you can't

>Add this line before include_once() lines mentioned above.
>
>----cut here----
>if (!isset($sourcedir)) $sourcedir = "";
>----cut here----

So you are setting $sourcedir to "" if it isn't set? Whats the point of
this?

The hole does *not* exist, as the variable $sourcedir is always set to a
value.  Even if the user did not yet configure YaBB SE, $sourcedir is set to an
empty value.

-- 
+++ GMX - Mail, Messaging & more  http://www.gmx.net +++
Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ