Vulnerability Development mailing list archives

Re: Noguska Nola 1.1.1 [ Intranet Business Management Software ]

From: Ryan Fox <rfox () amerisuk com>
Date: 27 Jun 2002 12:14:37 -0400

On Tue, 2002-06-25 at 02:54, sindhi () hushmail com wrote:

Noguska Nola 1.1.1 [ Intranet Business Management Software ]

Exploit: Document Management Module allows php script upload. How simple can it get ?


Though I'm no longer employed by Noguska, my name is still in the
software and on the site (I imagine), so I feel compelled to respond. 
I've attached a patch that defines a set of disallowed file extensions
(though it's probably better reworked to be a set of allowed
extensions).  This vulnerability also appears in the Inventory Item
Add/Update sections, as a file can be attached there in the same method
as in the document manager.  

The original message made no indication that you tried to contact the
vendor.  Did you?

Cheers,
Ryan Fox

Attachment: nola.vuln.patch
Description:

Current thread:

Noguska Nola 1.1.1 [ Intranet Business Management Software ] sindhi (Jun 26)
- Re: Noguska Nola 1.1.1 [ Intranet Business Management Software ] Ryan Fox (Jun 27)