lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <469E6418.2020006@gmx.de>
Date: Wed, 18 Jul 2007 19:03:52 +0000
From: Cornelius Riemenschneider <c.r1@....de>
To: jkloske@...e.uq.edu.au
Cc: bugtraq@...urityfocus.com, sirn0n@...oo.com
Subject: Re: LFI On SMF 1.1.3

jkloske@...e.uq.edu.au schrieb:
> Let me preface this by saying I'm not a security expert, however
considering that the above line is immediately preceeded by:
>
> if (!isset($_REQUEST['action']) ||
!isset($actionArray[$_REQUEST['action']]))
>
> ...with a default action defined by either the theme or the the SMF
software itself (causing the LFI statement to never be reached), and
that $actionArray is statically defined beforehand; is this really an
LFI vulnerability, or just something that looks like the LFI pattern on
the surface?
>
It's NOT a security Vulnerability, false report, and @sirn0n, please
stop spamming, thx :)
Cornelius Riemenschneider
-- 

My source of power: www.humppa.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ