| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Pine.GSO.4.51.0708221806400.13432@faron.mitre.org>
Date: Wed, 22 Aug 2007 18:16:35 -0400 (EDT)
From: "Steven M. Christey" <coley@...us.mitre.org>
To: 3APA3A <3APA3A@...urity.nnov.ru>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Re: Vulnerabilities digest
On Tue, 21 Aug 2007, 3APA3A wrote:
> 6. Ivan Niiiil (http://uNkn0wn.eu) reports vulnerabilities in
> Linkliste 1.2, Butterfly online vistors counter 1.08, mcLinksCounter
> 1.2, My_REFERER 1.08.
>
> Original messages in English are available from
> http://securityvulns.com/source26994.html
This issue, originally reported in CVE-2006-4863 for 1.1, was disputed by
CVE and another party because langfile was set to a hard-coded value
(english.php) before the include statement.
For 1.2, there's a different hard-coded value (french.php) but the issue
seems to be the same. From stats.php in 1.2 we have:
include "mclc.php";
include "$langfile";
and mclc.php has the interesting idiom:
if (!empty($_GET)) { extract($_GET, EXTR_OVERWRITE); }
whose security implications should be immediately apparent to PHP
aficionados everywhere. (I refer to this as a "variable extraction
error", CWE-621).
However, after this code, we have:
$langfile="french.php";
french.php itself has no include/require code.
So, if this issue is legitimate, it would be useful to know how this
exploit works.
Thanks,
Steve
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists