[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <4BE0564F.6050205@madirish.net>
Date: Tue, 04 May 2010 13:15:59 -0400
From: "Justin C. Klein Keane" <justin@...irish.net>
To: bugtraq@...urityfocus.com
Subject: Re: Puntal (index.php) Remote File Inclusion Vulnerabilities
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I've found similar deficiencies in other "vulnerabilities" listed by
inj3ct0r sh3ll.
Justin C. Klein Keane
http://www.MadIrish.net
The digital signature on this message can be confirmed
using the public key at http://www.madirish.net/gpgkey
On 05/03/2010 04:39 PM, Tom Walsh - lists wrote:
> Both variables ($app_path and $puntal_path) are defined in the index.php
> file. As such they will never be overridden when the variables are passed
> via POST or GET. POST and GET variables are populated and placed into the
> global scope before the page is processed by the PHP processor engine
> (assuming register globals is enabled, which it hasn't been in a default PHP
> install in a long time).
>
> Line 29 of index.php: $app_path = '/';
> Line 41 of index.php: $puntal_path = dirname(__FILE__).$app_path;
>
> Additionally the following line (Line 43 of Index.php) calls a function
> specifically designed to unregister global variables in the global scope of
> the application.
>
> This is not an exploit. Never was.
>
> Nothing to see here... Move along.
>
>> -----Original Message-----
>> From: eidelweiss@...erservices.com [mailto:eidelweiss@...erservices.com]
>> Sent: Monday, May 03, 2010 1:10 PM
>> To: bugtraq@...urityfocus.com
>> Subject: Puntal (index.php) Remote File Inclusion Vulnerabilities
>>
>> Puntal could allow a remote attacker to include malicious PHP files. A
> remote
>> attacker could send a specially-crafted URL request to the "index.php"
> script
>> using the "app_path=" OR "puntal_path=" parameter to specify a malicious
> PHP
>> file from a remote system, which would allow the attacker to execute
> arbitrary
>> code on the vulnerable system.
>>
>> Puntal 2.1.0 is vulnerable; other versions may also be affected.
>>
>> An attacker can exploit these issues via a browser.
>>
>> -=[P0C]=-
>>
>> http://127.0.0.1//path/index.php?app_path= [inj3ct0r sh3ll]
>> or
>> http://127.0.0.1//path/index.php?puntal_path= [inj3ct0r sh3ll
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iPwEAQECAAYFAkvgVk8ACgkQkSlsbLsN1gC7HAb9FX3dMwlXSrXnnKboL9Bvy4Ty
S5xqbRUNFLVd06PmedXZ/Rx8OmFWR8YZpsLE39PZ+ri1hX8huQDFBm301iMFU+Q9
UeyiIBkra6jlf/WgSu5ZIFecHvd/GOU36rluV8CYSJhxoFh69UxihYSA9II2DeVv
nJIR1WAGeo0QJs4liaIoUE6YR6wy7ZEAg8/MLcR8RKlnQc3xyY0s0KIZ56TuFOUk
olKsvQBg3Wsw1DvPiOT5bdoOcXQjDr4ism/WUvZk1mub/g1Vlwj+d7mw61zuBp8v
eJjHF8pyQ+U4awRp5Rc=
=PoyY
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists