mailing list archives
Re: ashnews Cross-Site Scripting Vulnerability
From: DanB-FD <dan-fd () f-box org>
Date: Tue, 31 Jan 2006 10:43:19 +0000
Dan B UK wrote:
Due to the nature of the issue I am not disclosing the detail of it
until the writer of the software has updated it; maybe you could have
A vulnerability that allows privileges of the apache user within the
limitations of how much PHP has been locked down.
Since the author of the product has got back to me with the following I
think it is ok to disclose the issue now.
"That is a known error. Unfortunately I have completely abondoned
ashnews. In fact, I have been neglecting taking it down completely which
I am going to do right now. - Derek"
The issue is in the handling of the $pathtoashnews, it is not validated
before being used by the script. Allowing remote or local file inclusion.
( The ? is required to make the remote server (f-box.org) ignore the
string that is appended to the variable $pathtoashnews )
( The website that is in the example above has already been defaced! )
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/