lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Tue, 24 Oct 2006 08:50:07 -0500
From: "J. Carlos Nieto" <xiamkong@...oo.com.mx>
To: crackers_child@...ersavascilar.com
Cc: bugtraq@...urityfocus.com
Subject: Re: Smarty-2.6.1 Remote File Include Vulnerabilities

On Mon, 2006-10-23 at 16:30 +0000, crackers_child@...ersavascilar.com 

> <?php
> 
> require_once './config.php';
> require_once SMARTY_DIR . 'Smarty.class.php';
> require_once 'PHPUnit.php';

SMARTY_DIR is a constant, isn't it?

> 
> 
> http://www.site.com/Smarty-2.6.14/unit_test/test_cases.php?SMARTY_DIR=Sh3ll?
> 

But you are passing a variable with value "Sh3ll".

And since variable != constant it won't work, at least in the piece of
code you gave us.

Where is the bug?

-- 
La civilización no suprime la barbarie, la perfecciona. -Voltaire
http://xiam.underlife.org

__________________________________________________
Correo Yahoo!
Espacio para todos tus mensajes, antivirus y antispam ¡gratis! 
Regístrate ya - http://correo.yahoo.com.mx/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ