Bugtraq mailing list archives
RE: Puntal (index.php) Remote File Inclusion Vulnerabilities
From: "Tom Walsh - lists" <mailinglist () expresshosting net>
Date: Mon, 3 May 2010 15:39:23 -0500
Both variables ($app_path and $puntal_path) are defined in the index.php file. As such they will never be overridden when the variables are passed via POST or GET. POST and GET variables are populated and placed into the global scope before the page is processed by the PHP processor engine (assuming register globals is enabled, which it hasn't been in a default PHP install in a long time). Line 29 of index.php: $app_path = '/'; Line 41 of index.php: $puntal_path = dirname(__FILE__).$app_path; Additionally the following line (Line 43 of Index.php) calls a function specifically designed to unregister global variables in the global scope of the application. This is not an exploit. Never was. Nothing to see here... Move along.
-----Original Message----- From: eidelweiss () cyberservices com [mailto:eidelweiss () cyberservices com] Sent: Monday, May 03, 2010 1:10 PM To: bugtraq () securityfocus com Subject: Puntal (index.php) Remote File Inclusion Vulnerabilities Puntal could allow a remote attacker to include malicious PHP files. A
remote
attacker could send a specially-crafted URL request to the "index.php"
script
using the "app_path=" OR "puntal_path=" parameter to specify a malicious
PHP
file from a remote system, which would allow the attacker to execute
arbitrary
code on the vulnerable system. Puntal 2.1.0 is vulnerable; other versions may also be affected. An attacker can exploit these issues via a browser. -=[P0C]=- http://127.0.0.1//path/index.php?app_path= [inj3ct0r sh3ll] or http://127.0.0.1//path/index.php?puntal_path= [inj3ct0r sh3ll
Current thread:
- Puntal (index.php) Remote File Inclusion Vulnerabilities eidelweiss (May 03)
- RE: Puntal (index.php) Remote File Inclusion Vulnerabilities Tom Walsh - lists (May 03)
- Re: Puntal (index.php) Remote File Inclusion Vulnerabilities Justin C. Klein Keane (May 04)
- <Possible follow-ups>
- Re: RE: Puntal (index.php) Remote File Inclusion Vulnerabilities donald00 (May 04)
- RE: Puntal (index.php) Remote File Inclusion Vulnerabilities Tom Walsh - lists (May 03)