[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20060705101945.66229.qmail@web27909.mail.ukl.yahoo.com>
Date: Wed Jul 5 11:19:53 2006
From: wh1t3h4t3 at yahoo.co.uk (Micheal Turner)
Subject: phpSysInfo arbitrary file identification
Tested 2.5.1
--- Micheal Turner <wh1t3h4t3@...oo.co.uk> wrote:
> phpSysInfo is a popular webscript for displaying
> stats
> about a webserver available from
> http://phpsysinfo.sourceforge.net/ with 365012
> downloads to date. A vulnerability which allows an
> attacker to identify if a file exists on the remote
> system has been identified. By supplying a directory
> traversal string to lng= in a POST or GET request
> to
> index.php with a poison null byte terminating %00
> allows an attacker to determine if any file exists.
> The vulnerable function is shown.
>
>
> if (!file_exists(APP_ROOT . '/includes/lang/' .
> $lng
> . '.php')) {
>
>
> An attacker can determine if the file exists by
> studying the returned error message, valid files
> return the string ?Sorry, we don't support this
> language.? and invalid files return the normal
> phpSysInfo application page.
>
>
> Example.
>
www.somesite.com/phpSysInfo/index.php?template=blue&lng=../../../../../../../../../../../var/log/httpd-error.log%00
>
> Humour.
>
http://www.google.co.uk/search?hl=en&safe=off&client=firefox-a&rls=org.mozilla%3Aen-GB%3Aofficial&q=%22System+Information%22+phpSysInfo+site%3A.edu&btnG=Search&meta=
>
>
>
>
___________________________________________________________
>
> Inbox full of spam? Get leading spam protection and
> 1GB storage with All New Yahoo! Mail.
> http://uk.docs.yahoo.com/nowyoucan.html
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
>
http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia -
> http://secunia.com/
>
___________________________________________________________
"My Verdict: The new Yahoo! Mail is far superior..." ? The Wall Street Journal.
http://uk.docs.yahoo.com/nowyoucan.html
Powered by blists - more mailing lists