Re: PHP Fuzzer Framework Insecure File Creation/Execution Vulnerability

[Valdis.Kletnieks () vt edu]

On Mon, 03 Aug 2009 16:03:13 EDT, elliot_mb () hushmail com said:
> VI. VENDOR RESPONSE
>
> Vendor was uninterested in fixing the issue.

Probably because PFF is usually run from a laptop or single-user workstation,
and you need a shell on the system already for this exploit to work. So it's
really not a big deal unless you're an insider who shouldn't have been trusted
with an account on the machine in question, or you've also got *another*
way to get access to the box.

> #include <sys/inotify.h>
>    struct inotify_event e;
>    n = inotify_init();
>    w = inotify_add_watch(n, "/tmp/PFF", IN_CREATE);

Bonus points for using inotify.. but...

> * DONT HIRE NIGGERS, THEY BRING ONLY FAILURE.

Oddly enough, the guys in charge who brought the South a loss were all white...

Attachment: _bin
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/