| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <442F319A.2000707@katamail.com>
Date: Sun Apr 2 03:05:00 2006
From: ascii at katamail.com (ascii)
Subject: Re: Mis-diagnosed XSS bugs hiding worse issues
due to PHP feature
Siegfried wrote:
> if(!empty($chemin)) $chemin = stripslashes($chemin);
> else $chemin = $depart;
[..]
> $chemintotal = $chemin;
[..]
> $handle = @opendir($chemintotal);
> $file = @readdir($handle);
> This poor check doesn't secure anything as it doesn't check slashes, and
> it's useless, BUT this isn't just a directory traversal as you can do
> http://[target]/dir.php?chemin=/etc/
> and it works as well..
hi Siegfried,
imho there is no check at all (and stripslashes() is called only to
make the script work smooth with magic_quotes on environments)
the error suppression shows the poor quality of this code
also this code seems to relay on register_globals on..
anyway i found only one location mentioning this script and on the
comment board there is a post dated 21/04/03 23:14 about $chemin
security
> je propose de mettre ces 2 ligne (? la ligne 12 de dir.php)
> $chemin=ereg_replace ("..\/", "", $chemin); $chemin=ereg_replace
> ("..\%2F", "", $chemin); normalement ca devrait bloquer les petits
> malins :)
http://www.phpscripts-fr.net/commentaires/commentaires_scripts.php?nom=933
so this bug is pretty old and the script seems to be unmaintained
regards, ascii, http://www.ush.it
ps: i haven't verified nor downloaded "ExplorerXP", but obviously i
completely trust your code snippet : )
Powered by blists - more mailing lists