lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Fri, 8 Oct 2010 17:19:46 +0800
From: YGN Ethical Hacker Group <lists@...g.net>
To: full-disclosure@...ts.grok.org.uk, pen-test@...urityfocus.com, 
	security-basics@...urityfocus.com, webappsec@...urityfocus.com
Subject: [Tool Update Announcement] inspathx - Path
	Disclosure Finder

UPDATE

Check it out at

svn checkout http://inspathx.googlecode.com/svn/trunk/ inspathx-read-only


For those who don't know inspathx

https://code.google.com/p/inspathx/

_____________________________

WHAT¶

A tool that uses local source tree to make requests to the url and
search for path inclusion error messages. It's ever a common problem
in PHP web applications that we're hating to see for ever. We hope
this tool triggers no path disclosure flaws any more. See our article
about path disclosure.

http://yehg.net/lab/pr0js/view.php/path_disclosure_vulnerability.txt



WHY¶

Web application developers sometimes fail to add safe checks against
authentications, file inclusion ..etc are prone to reveal possible
sensitive information when those applications' URLs are directly
requested. Sometimes, it's a clue to File Inclusion vulnerability. For
open-source applications, source code can be downloaded and checked to
find such information.

This script will do this job.

   1. First you have to download source archived file of your desired OSS.
   2. Second, extract it.
   3. Third, feed its path to inspath

The inspath takes

    * -d or --dir argument as source directory (of application)
    * -u or --url arguement as the target base URL (like http://victim.com)
    * -t or --threads argument as the number of threads concurrently
to run (default is 10)
    * -l argument as your desired language php,asp,aspx,jsp,all?
(default is all)
    * -x argument as your desired extensions separated with |
character (default : php4|php5|php6|php|asp|aspx|jsp|jspx) - make sure
to enclose multiple extensions with double quotes - See Examples

Read the related text:
http://yehg.net/lab/pr0js/view.php/path_disclosure_vulnerability.txt

Similar terms: Full Path Disclosure, Internal Path Leakage



SUPPORTED LANGUAGES¶

    * PHP
    * ASP(X)
    * JSP(X)


HOW¶

ruby inspathx.rb -d /sources/phpmyadmin -u http://localhost/phpmyadmin -t 20

ruby inspathx.rb -d c:/sources/phpmyadmin -u http://localhost/phpmyadmin -t 20

ruby inspathx.rb -d c:/sources/dotnetnuke -u
http://localhost/dotnetnuke -t 20 -l aspx

ruby inspathx.rb -d c:/sources/jspnuke -u http://localhost/jspnuke -t
20 -l jsp -x "jsp|jspx"



SAMPLE LOGS¶

Mambo 4.6.5 http://inspathx.googlecode.com/svn/trunk/sample_logs/localhost_mambo_.log

WordPress 3.0.1
http://inspathx.googlecode.com/svn/trunk/sample_logs/localhost_wp_.log


REFERENCES¶

http://www.owasp.org/index.php/Full_Path_Disclosure

http://projects.webappsec.org/Information-Leakage

http://cwe.mitre.org/data/definitions/209.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ