lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 30 Jan 2007 16:33:06 -0600
From: Mailinglists Address <mailinglist@...resshosting.net>
To: bugtraq@...urityfocus.com
Subject: Re: BOGUS: Atsphp 5.0.1 [Top Sites] [index.php] - Remote File Include

<snip class="drivel">
> file ;
> index.php
> sources/usercp.php
> sources/admin.php
>
> ########################################################################
>
> bugs ;
>
> require_once("{$CONF['path']}/sources/misc/classes.php");
>
>
> ########################################################################
> exp;
> /atsphp-5.0.1/index.php?CONF[path]=evilcode?
> /atsphp-5.0.1/sources/usercp.php?CONF[path]=evilcode?
> /atsphp-5.0.1/sources/admin.php?CONF[path]=evilcode?
>
> ########################################################################
>   
</snip>

in the index.php the $CONF['path'] variable is overwritten on line 20,
with line 26 being the require_once() call:

$CONF['path'] = '.';

This same line also is applied in the following file(s):

ssi.php
captcha.php
button.php
install/index.php
install/upgrade.php

in the source/user_cp.php file (incorrectly noted as usercp.php):
since the referenced require_once is enclosed in a class it is
impossible to instance this class and subsequently call the
require_once() on line 29.

in the source/admin.php file:
the same applies to this file as the require_once() are encapsulated
within a class that can not be instanced.

Tom Walsh
Express Web Systems, Inc.

Powered by blists - more mailing lists