OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: David Raeman (ralusp_at_mail.com)
Date: Tue Jul 30 2002 - 15:27:48 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    ('binary' encoding is not supported, stored as-is) Sympoll is a customizable voting booth system written
    in PHP. A missing variable integrity check allows
    arbitrary files to be viewed on a web server that hosts
    Sympoll version 1.2. Hosts that have disabled the
    register_globals directive in their php.ini file are
    not at risk.

    This vulnerability was reported to the Sympoll author
    on Tuesday, July 30 2002 at at approximately 13:45 EST.
     A new version with a verified fix was released by
    16:15 EST the same day. It can be downloaded from
    http://www.ralusp.net/sympoll/

    Although this vulnerability only appears possible in
    version 1.2, users of older versions are also urged to
    upgraded immediately to gain the extra integrity checks
    that were added to Sympoll 1.3.

    All credit for this vulnerability report belongs to
    Mats Linander.

    Fixed (Not Vulnerable): Sympoll 1.3
    Vulnerable: Sympoll 1.2