lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <2f6cb7b40603290040wdde0019h2b404c54c72afa4@mail.gmail.com>
Date: Wed Mar 29 09:40:58 2006
From: nocfed at gmail.com (nocfed)
Subject: Critical PHP bug - act ASAP if you are running
	web with sensitive data

On 3/29/06, T?nu Samuel <tonu@....ee> wrote:
>
---SNIP---
> There is a one vector most people do not seem to know. You can telnet to port
> 80 and say
>
> GET <?php .....
>
> write full script there and include web server log file later. Who knows what
> else blackhats can do. Every single hole must be closed.
>
---END SNIP---

Right, that is a vector that nobody knows about unless they have
common sense.  There were previous bugs with text editor(s) which used
logfiles to push the payload.  Why someone would ever decide to
include parsable logfiles directly into a script is beyond me, and I'm
sure is even beyond the kid that has been tinkering around the crap
known as php, a god awful scripting language, for but a single day.

Are we next going to be told about the little known security flaw of
directly putting user input into a system() call that uses sudo(8)
with no password verification?

>>
> > I can't speak for other distros, but there's a bug in Gentoo Bugzilla
> > for this: http://bugs.gentoo.org/127939
>
> Thank you! I think this problem must be fixed in every PHP version, not only
> 5.1 series. They knew about it but never told. That's bad.
>
>    T?nu
>
> -------------------------------------------------------

Never told?  It was in CVS.  Do you wish for all OSS projects to just
include mailing lists on every bug submited?  From now on we'll just
all CC full-disclosure on every bugzilla report and CVS submission
that we come across or submit.

By the way, why start a new thread with the same subject?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ