lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <9CA621425D6EAE4FBBD29326CC7D11060E9C36@unity-svr.Unity.local>
Date: Tue Jan 24 10:57:37 2006
From: Ed at unityitservices.co.uk (Edward Pearson)
Subject: Improper Character Handling In PHP Based
	Scriptslike PhpBB, IPB etc.

I can't reproduce this on vBulletin, Haven't tried the others.
Anybody know a good prog to discover what ASCII chars are?

________________________________

From: full-disclosure-bounces@...ts.grok.org.uk
[mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of h4cky0u
Sent: 24 January 2006 10:43
To: full-disclosure@...ts.grok.org.uk
Subject: [Full-disclosure] Improper Character Handling In PHP Based
Scriptslike PhpBB, IPB etc.


Well this was after i found somebody posing as me on my site -->
http://www.h4cky0u.org which was actually quite interesting and
dangerous  (looking from the social engineering point of view). 
 
Download the following file -
 
http://www.h4cky0u.org/poc.txt
 
Make sure you download it and not view it from the browser.  Once you
download that file open it in your text editor. You should see something
like-
 
--desiredusername

Copy that whole string and try and post it on any PHP Based blog, forum
etc or register a username with that string. Now what do you see? The --
part from --desiredusername is gone! But apparently its still there. It
still hides within that string(Try and reverse the process you just
did). Ok so the bug has been confirmed. Now come the questions - 
 
1) Is this really a bug in PHP (tested with PHP 4.3.11 and later
versions might as well be affected)? Or am i overlooking something?
 
2) What is the ASCII code of that -- part in the file if it isn't just 2
simple hyphens? (Tried all the possible methods but couldnt come up with
anything positive.)
 
3) What are the possible ways to avoid something like this?

-- 
http://www.h4cky0u.org
(In)Security at its best... 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060124/963c674e/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ