[<prev] [next>] [day] [month] [year] [list]
Message-ID: <e5312d6a0407030919695cf86a@mail.gmail.com>
From: divzero at gmail.com (Rudolf Polzer)
Subject: Re: VERY HIGH VULNERABILITY DISCLOSURE !!! MASS ROOT POSSIBLE !!! PLEASE BE ATTENTIVE !!!
On Sat, 3 Jul 2004 06:40:55 +0200, Frog M@n <frogman@...bon.net> wrote:
> This is IHCTEAM material. We fuck blackhats and we own the planet.
> This is a leet advisory, s0 l33t. Just read it and be quiet.
Not at all. But it's always good to mention the Nr. 1 security
nightmare people produce with scripting language. Good job.
> There is a BIGBUG in all php versions, in the include() function.
> If this function is badly used, a roxor hax0r (like us) can compromise
> a box remotely. He can execute commands with apache rights.
If it's badly used, the author of the script should get another job.
> index.php:
> ...
> include($page); // <--- fucking lame
> ...
Just because many PHP programmers are fucking idiots you cannot blame
that on PHP.
> <?
> system("$cmd");
> ?>
So your next advisory will be about a BIGBUG in system() - when badly
used, an attacker can execute arbitrary code on your webserver?
We all already know that. Really.
> Don't use the include() function, it is coded by idiots, like THEO@...nbsd.
No. Do not use the include() function with unchecked untrusted input,
for it will do what the documentation says.
> We owned everything and everywhere with this exploit:
> www.apache.org
> www.debian.org
> www.nasa.gov
If that is true (proof?), it should appear in the news soon.
> WE ARE LOOKING FOR A JOB IN THE SECURITY RESEARCH
lol, after THIS el-cheapo "security advisory"? Get a life. Find a real bug.
--
< polzer> besonders krank ist jedoch Kenny nach einer Basistransformation...
< polzer> Zcssczcssszszsz cscccczzzzzz zcszzc ccczsczcs.
< polzer> (ROT13)^{-1} Kenny ROT13
< polzer> .oO( fpbecker sucht das inverse Programm zu ROT13 )
Powered by blists - more mailing lists