Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Re: Mis-diagnosed XSS bugs hiding worse issues due to PHP feature
From: ascii <ascii () katamail com>
Date: Sun, 02 Apr 2006 04:06:18 +0200

Siegfried wrote:

if(!empty($chemin)) $chemin = stripslashes($chemin); 
else $chemin = $depart;
$chemintotal = $chemin;
$handle  = @opendir($chemintotal);
$file    = @readdir($handle);

This poor check doesn't secure anything as it doesn't check slashes, and
it's useless, BUT this isn't just a directory traversal as you can do
and it works as well..

hi Siegfried,

imho there is no check at all (and stripslashes() is called only to
make the script work smooth with magic_quotes on environments)

the error suppression shows the poor quality of this code

also this code seems to relay on register_globals on..

anyway i found only one location mentioning this script and on the
comment board there is a post dated 21/04/03 23:14 about $chemin

je propose de mettre ces 2 ligne (à la ligne 12 de dir.php)
$chemin=ereg_replace ("..\/", "", $chemin); $chemin=ereg_replace
("..\%2F", "", $chemin); normalement ca devrait bloquer les petits
malins :)


so this bug is pretty old and the script seems to be unmaintained

regards, ascii, http://www.ush.it

ps: i haven't verified nor downloaded "ExplorerXP", but obviously i
completely trust your code snippet : )

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]