lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20071220202028.3416.qmail@securityfocus.com>
Date: 20 Dec 2007 20:20:28 -0000
From: antonio@...oniocortes.com
To: bugtraq@...urityfocus.com
Subject: Re: Morcego CMS <= 0.9.6 Remote File Inclue Vulnerability

It's a Fake:

There's the line: 


[Line 827] include_once($fichero);


It isn't posible to change the value of this variable with a GET parameter:


function cargar_includes(){
     
     $includes = explode(';', $this -> get_var('includes'));
     foreach($includes as $include){
         $fichero = $this -> ruta_conf . $include ;
         if (!empty($include) && file_exists($fichero)){
             include_once($fichero);
             }
         }
    
     }

In other line

class cls_morcegoCMS { 
[...]
function includePHP( $cadena ) {
        // quitaremos las / ó \ de $cadena , solo se permitirán archivos que esté en includes
        $str_out = '';
        $cadena = str_replace( "\\", "/", $cadena );
        $cadena = ( strrpos( $cadena, '/') === false ) ? $cadena : substr( $cadena, - ( strrpos ( $cadena, '/') + 2 ));
        $fichero = dirname(__FILE__) . '/../' . $cadena ;
        if (file_exists( $fichero  )){
            @ob_start();
            @include_once( $fichero);
            $str_out = @ob_get_contents();
            @ob_end_clean();
        }
        return $str_out;
    }
[...]

I think it's to easy publish a false Vulnerability based on a old and unknow script.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ