Vulnerability Development mailing list archives
Re: Noguska Nola 1.1.1 [ Intranet Business Management Software ]
From: Ryan Fox <rfox () amerisuk com>
Date: 27 Jun 2002 12:14:37 -0400
On Tue, 2002-06-25 at 02:54, sindhi () hushmail com wrote:
Noguska Nola 1.1.1 [ Intranet Business Management Software ] Exploit: Document Management Module allows php script upload. How simple can it get ?
Though I'm no longer employed by Noguska, my name is still in the software and on the site (I imagine), so I feel compelled to respond. I've attached a patch that defines a set of disallowed file extensions (though it's probably better reworked to be a set of allowed extensions). This vulnerability also appears in the Inventory Item Add/Update sections, as a file can be attached there in the same method as in the document manager. The original message made no indication that you tried to contact the vendor. Did you? Cheers, Ryan Fox
Attachment:
nola.vuln.patch
Description:
Current thread:
- Noguska Nola 1.1.1 [ Intranet Business Management Software ] sindhi (Jun 26)
- Re: Noguska Nola 1.1.1 [ Intranet Business Management Software ] Ryan Fox (Jun 27)