Full Disclosure mailing list archives
Re: EasyPHP 12.1 - Remote code execution of any php/js on local PC
From: andfarm <andfarm () gmail com>
Date: Mon, 3 Dec 2012 22:46:05 -0800
On 2012-12-03, at 17:40, Seth Arnold <seth.arnold () canonical com> wrote:
Their documentation is extremely clear that their software should only ever be used locally: If their webserver binds to anything other than localhost then I'll quickly agree that this is a misconfiguration and a security problem. But if they do bind to localhost only this seems a bit overhyped.
It's still vulnerable to XSRF even if it only binds to localhost. And, given that the vulnerable script codetester.php is at a known location and requires no nonce for submissions, it's incredibly straightforward to attack. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: EasyPHP 12.1 - Remote code execution of any php/js on local PC auto59190641 (Dec 02)
- Re: EasyPHP 12.1 - Remote code execution of any php/js on local PC Jeffrey Walton (Dec 03)
- Re: EasyPHP 12.1 - Remote code execution of any php/js on local PC Seth Arnold (Dec 03)
- Re: EasyPHP 12.1 - Remote code execution of any php/js on local PC andfarm (Dec 03)
- Re: EasyPHP 12.1 - Remote code execution of any php/js on local PC Seth Arnold (Dec 03)
- Re: EasyPHP 12.1 - Remote code execution of any php/js on local PC Jeffrey Walton (Dec 03)