lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20060705101945.66229.qmail@web27909.mail.ukl.yahoo.com>
Date: Wed Jul  5 11:19:53 2006
From: wh1t3h4t3 at yahoo.co.uk (Micheal Turner)
Subject: phpSysInfo arbitrary file identification

Tested 2.5.1

--- Micheal Turner <wh1t3h4t3@...oo.co.uk> wrote:

> phpSysInfo is a popular webscript for displaying
> stats
> about a webserver available from
> http://phpsysinfo.sourceforge.net/ with 365012
> downloads to date. A vulnerability which allows an
> attacker to identify if a file exists on the remote
> system has been identified. By supplying a directory
> traversal string to lng= in a POST or  GET request
> to
> index.php with a poison null byte terminating %00
> allows an attacker to determine if any file exists.
> The vulnerable function is shown.
> 
>  
>   if (!file_exists(APP_ROOT . '/includes/lang/' .
> $lng
> . '.php')) {
>  
> 
> An attacker can determine if the file exists by
> studying the returned error message, valid files
> return the string ?Sorry, we don't support this
> language.? and invalid files return the normal
> phpSysInfo application page. 
> 
> 
> Example.
>
www.somesite.com/phpSysInfo/index.php?template=blue&lng=../../../../../../../../../../../var/log/httpd-error.log%00
> 
> Humour.
>
http://www.google.co.uk/search?hl=en&safe=off&client=firefox-a&rls=org.mozilla%3Aen-GB%3Aofficial&q=%22System+Information%22+phpSysInfo+site%3A.edu&btnG=Search&meta=
> 
> 
> 		
>
___________________________________________________________
> 
> Inbox full of spam? Get leading spam protection and
> 1GB storage with All New Yahoo! Mail.
> http://uk.docs.yahoo.com/nowyoucan.html
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
>
http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia -
> http://secunia.com/
> 



	
	
		
___________________________________________________________ 
"My Verdict: The new Yahoo! Mail is far superior..."  ? The Wall Street Journal.
http://uk.docs.yahoo.com/nowyoucan.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ