lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200604130002.k3D02In5015295@cairo.mitre.org>
Date: Wed, 12 Apr 2006 20:02:18 -0400 (EDT)
From: "Steven M. Christey" <coley@...re.org>
To: crasher@...oak.or.id
Cc: bugtraq@...urityfocus.com
Subject: Re: Multiple vulnerabilities in Blur6ex



The XSS issue in the shard parameter appears to be resultant from a
more serious file inclusion vulnerability.  This is the kind of
diagnosis error that I have mentioned in the past [1].

Notice that the error message shows that it took the "shard" parameter
and directly inserted it into a filename that it then tried to open.
In addition, the "/" is not being filtered - otherwise the </h1> would
not be there:

>Warning: main(): Failed opening 'engine/shards/<h1>just test your
>web</h1>.php'
>for inclusion
>(include_path='.:/usr/lib/php/:/usr/share/pear/') in
>/var/www/html/blur/index.php on line 108


Looking at the source for index.php in blur6ex 0.3.462, we have:

>        $shard = $_REQUEST["shard"];
>...
>    		include('engine/shards/' . $shard .'.php');
>...
>            include('engine/shards/' . $shard . '.php');


There is not any apparent cleansing of the $shard variable (based on
grep test).

So, this looks like a directory traversal issue in a PHP include
statement, so arbitrary PHP files might be included and executed using
"../" sequences.  And without any apparent cleansing, it seems likely
that null character injection could be used to access files of any
extension.

NOTE - the errormsg parameter appears to be primary XSS.  From
engine/shards/login.php:

>    case "g_error":
>    $errormsg = $_REQUEST['errormsg'];
>...
>    	$thisContentObj->primaryContent = "Error: " . $errormsg;


This is all based on source code inspection only - I have not
installed and tested the product.

- Steve


References:

[1] Mis-diagnosed XSS bugs hiding worse issues due to PHP feature
    Bugtraq, April 1, 2006
    http://marc.theaimsgroup.com/?l=bugtraq&m=114392753509966&w=2


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ