[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] phpSysInfo arbitrary file identification

To: Micheal Turner <wh1t3h4t3@xxxxxxxxxxx>, full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] phpSysInfo arbitrary file identification
From: Micheal Turner <wh1t3h4t3@xxxxxxxxxxx>
Date: Wed, 5 Jul 2006 11:19:45 +0100 (BST)

Tested 2.5.1

--- Micheal Turner <wh1t3h4t3@xxxxxxxxxxx> wrote:

> phpSysInfo is a popular webscript for displaying
> stats
> about a webserver available from
> http://phpsysinfo.sourceforge.net/ with 365012
> downloads to date. A vulnerability which allows an
> attacker to identify if a file exists on the remote
> system has been identified. By supplying a directory
> traversal string to lng= in a POST or  GET request
> to
> index.php with a poison null byte terminating %00
> allows an attacker to determine if any file exists.
> The vulnerable function is shown.
> 
>  
>   if (!file_exists(APP_ROOT . '/includes/lang/' .
> $lng
> . '.php')) {
>  
> 
> An attacker can determine if the file exists by
> studying the returned error message, valid files
> return the string ?Sorry, we don't support this
> language.? and invalid files return the normal
> phpSysInfo application page. 
> 
> 
> Example.
>
www.somesite.com/phpSysInfo/index.php?template=blue&lng=../../../../../../../../../../../var/log/httpd-error.log%00
> 
> Humour.
>
http://www.google.co.uk/search?hl=en&safe=off&client=firefox-a&rls=org.mozilla%3Aen-GB%3Aofficial&q=%22System+Information%22+phpSysInfo+site%3A.edu&btnG=Search&meta=
> 
> 
>               
>
___________________________________________________________
> 
> Inbox full of spam? Get leading spam protection and
> 1GB storage with All New Yahoo! Mail.
> http://uk.docs.yahoo.com/nowyoucan.html
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
>
http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia -
> http://secunia.com/
> 



        
        
                
___________________________________________________________ 
"My Verdict: The new Yahoo! Mail is far superior..."  ? The Wall Street Journal.
http://uk.docs.yahoo.com/nowyoucan.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] phpSysInfo arbitrary file identification
  - From: Micheal Turner

Prev by Date: [Full-disclosure] phpSysInfo arbitrary file identification
Next by Date: Re: [Full-disclosure] Are consumers being misled by "phishing"?
Previous by thread: [Full-disclosure] phpSysInfo arbitrary file identification
Next by thread: [Full-disclosure] Who should i contact?
Index(es):
- Date
- Thread