Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Re: Re: Mis-diagnosed XSS bugs hiding worse issues due to PHP feature
From: "Siegfried" <admin () zone-h fr>
Date: Sun, 2 Apr 2006 08:21:02 +0200 (CEST)

Yes like you said there is no check, because the stripslashes is a joke.
And yes this script isn't famous at all, but it was just to show a recent
example of an error in the advisory, even if this one is just a detail

There are some people who publish really many xss/sql injection
advisories, but really MANY, you all saw it, i'm quite sure some of them
just use their browser to "audit" them (like other people use fuzzers for
other stuff), i don't criticize their work, but i'm more than sure that
some of them provide incomplete and/or incorrect informations because they
didn't look well.

if they audit with their browser and have a php version installed older
than php 5.1.2, they may post a xss advisory while it was something really
different, or just _nothing_ because it was the xss in the php error
message, like that example of the Guppy directory traversal.

well there is no need to talk more about it in my opinion
end of thread for me :)

Siegfried

From: ascii <ascii_at_katamail.com>
Date: Sun, 02 Apr 2006 04:06:18 +0200

Siegfried wrote:

if(!empty($chemin)) $chemin = stripslashes($chemin);
else $chemin = $depart;
[..]
$chemintotal = $chemin;
[..]
$handle = @opendir($chemintotal);
$file = @readdir($handle);

This poor check doesn't secure anything as it doesn't check slashes, and
it's useless, BUT this isn't just a directory traversal as you can do
http://[target]/dir.php?chemin=/etc/
and it works as well..

hi Siegfried,

imho there is no check at all (and stripslashes() is called only to
make the script work smooth with magic_quotes on environments)

the error suppression shows the poor quality of this code

also this code seems to relay on register_globals on..

anyway i found only one location mentioning this script and on the
comment board there is a post dated 21/04/03 23:14 about $chemin
security

je propose de mettre ces 2 ligne (&#65533; la ligne 12 de dir.php)
$chemin=ereg_replace ("..\/", "", $chemin); $chemin=ereg_replace
("..\%2F", "", $chemin); normalement ca devrait bloquer les petits
malins :)

http://www.phpscripts-fr.net/commentaires/commentaires_scripts.php?nom=933

so this bug is pretty old and the script seems to be unmaintained
regards, ascii, http://www.ush.it

ps: i haven't verified nor downloaded "ExplorerXP", but obviously i
completely trust your code snippet : )

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault