lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <45ED675C.8050308@internl.net>
Date: Tue, 06 Mar 2007 14:06:36 +0100
From: Maurice Makaay <maurice.makaay@...ernl.net>
To: RaeD Hasadya <raed@...mail.com>
Cc: Bugtraq@...urityfocus.com
Subject: Re: XXS in script Phorum

RaeD Hasadya wrote:
> =======================================================================
> Script : Script Phorum
> Found By : Hasadya Raed
> Contact : RaeD@...Mail.Com
> =================================================
> exemple:
> http://www.site.com/[path]/admin.php?upgradefile=">**********alert(********.******);</script>
> ======================
> Greetz : Only To Security Focus :)
>   
Is this output coming from some automated security checking script or 
what? It looks a lot like it, since the reporter apparently did not look 
at the PHP code or wasn't capable of understanding what the PHP code 
does. On the 7th of februari, the same kind of report was issued already 
by Crack_man <c_r_ck@...mail.com>. The contents of that report were:

=======================================================================
title: XXS in script Phorum

homepage: www.phorum.org
found: 2007-02-25
by: Crack_man

=================================================
exemple:
http://www.site.com/[path]/admin.php?upgradefile="><script>alert(document.cookie);</script>
======================
greetz : all friend 


We replied to that previous report that it was classified as a 100% 
bogus report, after investigating the Phorum source code. So why report 
it again? Here is the reply that we sent in response to the first report:

--------------

Once again, a false report about Phorum.  Please issue an apology ASAP.

1. upgradefiles as a var is only used inside a function.  PHP does not take variables from the global scope for use in functions automatically.

2. 2 lines before that var is echoed, it is set by reading a file name from disk using the dir() function in PHP.

3. The dir() function reads from a hard coded, relative path on disk and does not use a variable.

Thanks for trying.  If you find a real bug, please let us know.  We strive to make Phorum as bug free as possible.
--------------


This response still stands.
This bug report is a fake.


With kind regards,

Maurice Makaay
Phorum.org developer

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ